Last Updated: December 31, 2019

Important Information
We at KnowBe4, Inc. are committed to protecting your data. The data protection practices set forth in this Product Privacy Notice (the “Product Privacy Notice”) are for technology platforms owned by KnowBe4, Inc. (“KnowBe4”, “we”, “our”, or “us”). This Product Privacy Notice tells you how KnowBe4 uses Personal Data collected on our technology platform(s).  “Personal Data” means any personally identifiable information such as your name, address, date of birth, phone number, and email address.

By using our technology platform(s), you are accepting the practices described in this Product Privacy Notice.  If you do not agree with the data practices provided in this Product Privacy Notice, you should not use products and services provided by KnowBe4. We may make changes to this Product Privacy Notice at our sole discretion at any time. We encourage you to periodically review this Product Privacy Notice to stay informed about our collection, processing, and sharing of your Personal Data. Your continued use of this Site after we make changes to the Product Privacy Notice is deemed to be acceptance of those changes.

For the avoidance of doubt, this Product Privacy Notice only applies to the extent we process Personal Data in the role of a processor on behalf of our customers. If you have executed a Data Protection Agreement with KnowBe4, the terms of such agreement will supersede this Product Privacy Notice.

What This Notice Covers:
This Product Privacy Notice applies to the processing of Personal Data collected by us when you:

  • Use our products and services (where we act as a processor of your Personal Data)
  • Create a free account to use our products and services on behalf of your employer

 Personal Data KnowBe4 Collects
The Personal Data that we collect directly from you includes the following:

  • Business Contact information: first name, last name, employer, title, city, state, country, phone number, IP address, and business email addresses
  • Automatically collected information: information collected via cookies and web beacons, including IP address, browser name, operating system details, domain name, date of visit, time of visit, and pages viewed, or other similar information
  • Console Information: Simulated phishing, security awareness testing and training results, security assessment results, and information uploaded to KCM GRC tool

Protected Health Information), Payment Card Information and other Sensitive Information.
KnowBe4 does not need, nor does it request, any protected health information (“PHI”) governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”), nor does it need or request any non-public consumer personally identifiable information or financial information governed by the Gramm-Leach-Bliley Act (“GLBA”) or payment card information covered by the Payment Card Industry Data Security Standards (“PCI DSS”) in order to provide its products and services. You should never disclose, or allow to be disclosed, PHI, information protected by PCI DSS or GLBA, or other sensitive information to KnowBe4. In the event that a user discloses such information (which would be a violation of this Product Privacy Notice), you, on behalf of your organization, acknowledge that KnowBe4 does not take steps to ensure its products are HIPAA or PCI compliant. All obligations of the aforementioned regulations remain solely with you, on behalf of your organization.

Visitors under the age of 16
Our Website and our technology platforms are not intended for persons under the age of 16. Thus, we do not intentionally gather Personal Data from visitors who are under the age of 16. If you are under the age of 16, please do not submit your Personal Data via our submission forms.

How Personal Data is Collected
Personal Data is collected by KnowBe4 when it is shared by your organization’s account administrator (the “Account Admin”), at the discretion of your organization. Personal Data will also be requested from you through our products and services (i.e. technology platforms) by your Account Admin at your organization’s discretion. KnowBe4 collects the minimum information necessary to provide its products and services to you..

Cookies and Other Identifiers
We use common information-gathering tools, such as tools for collecting usage data, cookies, web beacons and similar technologies to automatically collect information that contain Personal Data from your computer or mobile device as you navigate our Site, use our services, or interact with emails we have sent to you.

Cookies, web beacons and other tracking technologies on our products and services
KnowBe4 uses cookies and other tracking technologies when users interact with our products and services. Cookies are small text files that are placed on your computer by a website. Each one of these cookies contain an identification number, IP address, and the time and date last accessed. KnowBe4 does NOT use these cookies contained within our products and services for targeted advertising.

Below are the two types of cookies that are used on KnowBe4’s platform for its products and services.

  • Session based cookies - These are only used to determine how long you remain on the platform and immediately expire when you leave our platform or logout.
  • Support cookies - These cookies allow us to track onboarding times and other metadata in order to provide better service to our users.

Most browsers are set up to accept cookies. If you choose, you may refuse to accept cookies or set up your browser so that it notifies you when you receive a cookie.

How We Use Your Personal Data
We collect and process your Personal Data for the purposes and on the legal bases identified in the following (where we act as a processor of your Personal Data):

Where we have entered into a contract:

  • For your use of our free tools, KCM GRC console, KMSAT console or other services provided to you that are under the applicable terms of service or applicable agreement for services between you, or your organization, and KnowBe4
  • For the use of our Website including any products and services
  • For managing payments in order to complete a transaction with you
  • In order to provide support for our products and services (you can reach out to us by phone or email)
  • For any managed services that we provide to you from time to time
  • For webinars that you have registered to attend
  • For KnowBe4 contests or promotions

Legitimate interest is the legal basis for processing the following:

  • To assess and improve your experience on the console (such as analyzing trends or tracking your usage and interactions with our products and services in order to improve your overall experience)
  • For security purposes such as investigations of suspicious activity or for compliance purposes (such as investigating fraud or misuse of our Website)
  • For other purposes that arise from time to time

KnowBe4 processes and discloses Personal Data when cooperating with appropriate regulatory and government authorities. When KnowBe4 processes Personal Data for this purpose, the legal bases for processing shall be for compliance with a legal obligation to which KnowBe4 is subject.

Who Do We Share Personal Data With?
We may occasionally use third-party businesses to provide products and perform specialized services for data processing. When we provide Personal Data to these businesses, they are not permitted to use the Personal Data for any reason outside of the scope for which we contracted them.

The ways in which we may share your Personal Data include the following:

  • When we use our third-party processors (such as Amazon Web Services) in the performance of our services. This is required for us to provide our services to you. We execute contracts with our third parties to ensure they fulfill their data protection obligations.
  • When you register for a webinar it is generally done through one of our third-party partners.
  • With KnowBe4 affiliates and other companies that become part of KnowBe4 in the future.
  • We may also disclose your information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding. Finally, we may also disclose your information for any other purpose disclosed by us when you provide the information or with your consent.

KnowBe4 reserves the right to disclose your Personal Data under the following conditions: (1) when permitted or required by law; (2) when trying to protect against or prevent actual or potential fraud or unauthorized transactions; or (3) when investigating suspected fraud which has already taken place.

Sale of Personal Data
KnowBe4 will never sell your Personal Data.

Account Admin(s)
An Account Admin is the person responsible for owning the product or service and delivering the service to members of his/her respective organization. When you or your Account Admin uploads information (such as business email address) into our products and services, you and/or the Account Admin acknowledge that is has been done at the discretion of the organization that you or your Account Admin represent. In this scenario, the Account Admin’s organization is the “controller” of the Personal Data and KnowBe4 acts as a “processor” of the Personal Data. KnowBe4 is legally bound by the applicable terms for the products and services purchased, such as the KnowBe4 Terms of Service, other applicable agreements for services between KnowBe4 and your organization, and/or Data Processing Agreements to only process data as authorized by the agreement(s) and upon the instruction of the controller. If you have any detailed questions regarding these agreements, please contact your Account Admin or KnowBe4 directly and we will forward your request to your appropriate organizational contact.

As an Account Admin, your Personal Data will be used to communicate with you for support purposes or to follow up on requests made by you or another user of the console.

Subject to legal and contractual requirements, you may refuse our collection of your data or withdraw consent to further collection. Your Personal Data will never be used outside of the scope for which KnowBe4 was contracted.

Opt Out
Since the products and services provided are at the request of your organization, you can contact your organization’s Account Admin in order to opt out of the products and services provided. Additionally, you can contact your Account Admin to make changes to your Personal Data. KnowBe4 does not have control over how your organization uses your Personal Data for their purposes. You can also contact us to contact your organization on your behalf.

International Transfers of Personal Data
Your Personal Data may be collected, transferred to, and stored by us in the United States and by our affiliates in other countries where we operate.

Therefore, your Personal Data may be processed outside the European Economic Area (EEA), and in countries which are not subject to an adequacy decision by the European Commission, and which may not provide for the same level of data protection as the EEA. In this event, we will ensure that the recipient of your Personal Data offers an adequate level of protection, for instance by entering into an agreement to abide by standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or another mechanism approved by the EU Commission.

Data Security and Retention
Your Personal Data is kept secure. Only authorized employees, agents, and contractors (who have agreed to keep information secure and confidential) have access to this information. To provide our products and services, we occasionally use third party businesses (“Third Party” or “Third Parties”) to perform specialized services in regard to data processing. When we provide data to these businesses, they are not permitted to use data outside of the scope for which we contracted them.

We (and our third-party service providers) use a variety of industry standard security measures to prevent unauthorized access, use, or disclosure of your Personal Data. These security measures consist of but are not limited to data encryption and physical security. No method of transmission or method of electronic storage over the internet is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

KnowBe4 will retain your Personal Data for the period necessary to fulfill the purpose outlined in this Product Privacy Notice unless a longer retention period is required by applicable data privacy law.

We take reasonable steps to ensure that your Personal Data is accurate, complete, current, and otherwise reliable for its intended use. We will not process Personal Data in a way that is incompatible with the purposes for which it was collected. If your Personal Data has been disclosed to a third party, and it has been deemed incorrect by you, KnowBe4 will contact the Account Admin and will work with third parties (such as our subprocessors) to request a correction to the information.

If KnowBe4 obtains knowledge that one of our service providers or employees is in violation of this Product Privacy Notice, KnowBe4 will take commercially reasonable steps to prevent or stop the unauthorized use or disclosure of your Personal Data. KnowBe4 takes data privacy seriously. Therefore, we agree to take commercially reasonable measures to ensure the proper handling of your Personal Data by our employees and service providers.

Your Rights
You have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws and, in particular, if you are located in the EEA, these rights include:

  • Accessing, correcting, amending, deleting your Personal Data;
  • Objecting to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
  • Not being subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"). Automated Decision-Making currently does not take place on our websites or in our services; and
  • To the extent we base the collection, processing and sharing of your Personal Data on your consent, withdrawing your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.

How to exercise your rights
To exercise your rights, please contact us at privacy@knowbe4.com.

More Important Information

EU-U.S. and Swiss Privacy Shield Framework
KnowBe4, Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union and the United Kingdom and Switzerland to the United States, respectively.  KnowBe4, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this Product Privacy Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

KnowBe4, Inc. is responsible for processing of the Personal Data that it receives, under the Privacy Shield framework, and subsequently transfers to a third party acting as an agent on its behalf. KnowBe4, Inc. complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, including onward transfer liability provisions.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, KnowBe4, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, KnowBe4, Inc. may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the Privacy Shield Principles, KnowBe4 commits to resolve complaints about our collection or use of your Personal Data.  EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact KnowBe4 at: privacy@knowbe4.com.

Under certain conditions, more fully described on the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint), you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

California Consumer Protection Act
This section provides additional details about the personal information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act or “CCPA.”

We do not provide services, or other items of value, as consideration for your, or your end users’, personal information protected by the CCPA.

You are responsible for ensuring your compliance with the requirements of the CCPA in your use of the services we provide to you and your own processing of personal information.

Here are a few things that KnowBe4 will NOT do with personal information in the scope of acting as a service provider, as defined by CCPA:

  • sell, rent, or otherwise disclose your personal information to third parties in exchange for money or something else of value
  • use your information outside the scope of the agreement(s) for services that we have with you

Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this personal information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.

California consumers may make a request pursuant to their rights under the CCPA by contacting us at privacy@knowbe4.com. We will verify your request using the information associated with your account, including email address. Consumers can also designate an authorized agent to exercise these rights on their behalf.

Contacting Us
To exercise your rights regarding your Personal Data, or if you have questions regarding this Product Privacy Notice or our data protection practices please send an email to privacy@knowbe4.com. Alternatively, you may send notice by way of mail at the address listed below:

KnowBe4, Inc.
33 N Garden Avenue, Suite 1200
Clearwater, FL 33755, USA
Attn: KnowBe4 Privacy Team

We are committed to working with you to obtain a fair resolution of any complaint or concern about your data. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.


Get the latest about social engineering

Subscribe to CyberheistNews