Sublime Privacy Policy

Last updated March 5, 2025

Welcome to the website(s) of Sublime Security, Inc. (“Sublime”, “Company”, “we”, “us” and/or “our”), which includes: https://sublime.security, https://sublimesecurity.com, and any other web properties maintained by Sublime (collectively, the "Site"). 

If you are unable to access this Policy due to a disability or impairment, please contact us using the contact details in the Contact Sublime Section and we will arrange to supply you with the information you need in an alternative format that you can access. You can also access a printable version of this Policy here.

This Privacy Policy ("Policy") sets forth Sublime’s practices with respect to information including "personal data", "personal information", and "personally identifiable information" as these terms are defined under applicable data protection laws (“Personal Data”), that is collected, used and shared by Sublime in the usual course of business, including when you:

• visit, interact with or use our Site; visit our social media pages; submit a job application; receive online advertisements or communications from us, including emails, phone calls and texts; or register for, attend and/or otherwise take part in our contests, events, tutorials or webinars (we collectively refer to all of these activities as our "Marketing Activities"); 
• purchase or use any Sublime services as an authorized end user (for example, as an individual customer or as an authorized team member of one of our business customers) (herein referred to as "Service Users") (we collectively refer these activities as the "Services" in this Policy), specifically where we act as a data controller of your Personal Data (unless otherwise noted).

For clarity, our Services are intended for use by our business customers. As a result, for much of the Personal Data we process through the Services, we act as a processor or service provider on behalf of our business customers. For more information, see Section 2 below. 

"You" may, depending on the context, be a visitor to our Site or social media pages; a recipient of our communications or online advertisements; a job applicant; or a Service User. 

We may provide additional "just-in-time" disclosures or additional information about our data processing practices. These notices may supplement this Policy or clarify Sublime's privacy practices in the circumstances described or may provide you with additional choices about how Sublime processes your Personal Data.

This Policy does not apply to any third-party websites, services or applications, even if they are accessible through or are necessary for the use of our Services.

When you access or use our Services or engage with our Marketing Activities, you acknowledge that you have read this Policy and understand its content. Your use of our Services and interaction through our Marketing Activities and any dispute over privacy is subject to this Policy and the Terms of Service located at sublime.security/terms, or any other applicable service terms (including any applicable limitations on damages and the resolution of disputes).

Quick Links

We recommend that you read this Policy in full to ensure you are fully informed. However, to make it easier for you to review those parts of this Policy which apply to you, we have divided up the document into the following sections:

1. About Sublime

2. Information We Process on Behalf of our Customers

3. The Personal Data We Collect

4. Our Use of Your Personal Data and Our Legal Basis for Processing

5. Our Disclosure of Your Personal Data

6. Social Media and Technology Integrations

7. Cookie Policy and other Tracking Technologies

8. Security

9. Retention

10. Transfers of Your Personal Data

11. Additional Disclosures for U.S. Residents

12. Your Privacy Rights & Choices

13. Children's Personal Data

14. Links to Third-Party Web Sites

15. Changes to Sublime's Privacy Policy

16. Contact Sublime

‍

1. About Sublime

Sublime Security is the adaptive, AI-powered cloud email security platform that combines best-in-class effectiveness with unprecedented visibility and control. The open platform allows security teams to have transparency and flexibility in their email environment to spend less time on email-originated incidents. Advanced teams can customize detections, threat hunt, extend Sublime into their SIEM or SOAR, and collaborate with other teams. You can find out more about Sublime and Deploy Sublime Core for free or Sublime Enterprise at https://sublime.security/start.

Subject to Section 2 below, if you are located in the European Economic Area ("EEA"), United Kingdom ("UK") or Switzerland, the controller (or processor where applicable) of your Personal Data that Sublime processes for the purposes described in this Policy is Sublime Security, Inc.

2. Information We Process on Behalf of our Customers

Our Services are intended for use by our business customers. As a result, for much of the Personal Data we process through the Services, we act as a processor or service provider on behalf of our business customers. This means that our business customers control what Personal Data we collect through the Services and how we use it. Where our activities as a processor or service provider are clear and consistent across our customer base, we have described those activities herein in the interests of transparency. However, if you are a Service User, and have privacy related questions or concerns about the privacy practices of or the choices the relevant business customer has made regarding your information via the Services, you should contact the relevant customer (e.g. your employer) directly or review their privacy notices.

We are not responsible for the privacy or data security practices of our business customers, which may differ from those set forth in this Policy.

3. The Personal Data We Collect

The Personal Data we collect depends on the context of your interactions with Sublime and the choices you make (including your privacy and browser settings), the Services you use (including whether you self-host the Services or use Sublime’s cloud hosting), your location and applicable law, but can include the following:

Personal Data That You Provide to Sublime: We collect different types of Personal Data that you voluntarily submit through the Site. We collect Personal Data from you when you voluntarily provide such information, such as when you contact us with inquiries, respond to one of our surveys, register for access to the Services or use certain Services. Wherever Sublime collects Personal Data, we make an effort to provide a link to this Privacy Policy.

The Personal Data we collect may include: 

• Marketing information (Identifiers) - such as your business contact information (name, job title, organization, phone number, email address, country/state of residence, mailing address) and contact preferences; 
• Online content (Internet activity information) - which includes Personal Data disclosed by you on message boards, chat features, blogs and other services or platforms to which you are able to post information and materials, including third party services and platforms;
• Applicant information (Employment and Education information) - if you apply for a job with Sublime (such as your resume, desired pay, education and work history, whether you are over the age of 18, and visa status). You also may choose to provide your gender, ethnicity, veteran status, disability status, and links to your website, blog, portfolio, or LinkedIn profile;
• Services account registration data (Customer Records) - such as your email, username or account name and hashed password when you sign-up or register for an account with us and the unique Service user ID assigned to you in our systems;
• Services management data (“Customer Data”) – Personal Data provided, uploaded, or submitted by customer to the Sublime cloud-hosted Services in order to provide our suite of email security services to organizations, such as: email header, message contents, subject, sender, recipients, date, attachments, user names, roles, email addresses, IP addresses, organization and domain names, groups, rules, configurations, activity logs, audit logs, and any other information that may be contained in an email (.eml) file processed by our Services (note that, except where proactively shared by customer and as expressly identified in any applicable terms of service, Sublime does not process or otherwise access the contents of any email file when a customer chooses to self-host our Services); 
• Troubleshooting and support data - which is data you provide or we otherwise access in connection with support queries we receive from you. This may include, for example, contact or authentication data, the content of your chats and other communications with Sublime, the product or service you are using related to your help inquiry and related crash analytics.

If you communicate directly with us, we may collect and maintain an archive of our communications with you (including their content). We may also record or monitor our telephone or other communications with you, to the extent permitted by applicable law.

Providing your Personal Data is optional, but it may be necessary for certain Services, such as in relation to Services account registration and management data. In such cases, if you do not provide your Personal Data, Sublime may not be able to provide you with the requested Services.

Personal Data we collect automatically: When you use or interact with the Services and Marketing Activities, we automatically collect or receive certain information through our Services (for example in log files) and through other technologies (such as cookies) about your device and usage of the Services. In some countries, including countries in the EU and UK, this information is considered Personal Data. 

The categories of Personal Data we automatically collect and have collected in the last 12 months include your device's IP address, the domain name of the website from which your device linked to our Services and Marketing Activities, and your browsing habits on and usage of the Services and Marketing Activities through your device:

• Commercial Information - Information about the products or services you purchased, looked at or searched for, and any related use histories or tendencies;
• Online Identifiers and Inferences - Details about your computers, devices, applications, and networks, including internet protocol (IP) address, URLs or domain names of websites you visit, information about applications installed on your device, traffic data, cookie identifiers, mobile carrier, mobile device ID, advertising identifiers;
• In relation to the Services: Customer Data (as defined in this Section); Services account registration data; performance information; data relating to your interaction with the Services (e.g. time of access, features used, length of use, OS version, browser information, device IDs); crash logs; and other aggregate or statistical information.

We use tracking technologies to collect this information, including cookies, web beacons, pixels and clear gifs. For more information, see Cookies and other Tracking Technologies.

Notice to Service Users: We may collect and process Personal Data about individuals at the direction of our customers. Our processing of such data is governed by the terms of our service agreements with our customers (and any applicable data processing agreements), and not this Privacy Policy. We are not responsible for how our customers treat the Personal Data we collect on their behalf, and we recommend you review their separate privacy policies.

Sublime acknowledges that you may have rights in connection with Customer Data. If your information has been processed by Sublime on behalf of a customer and you wish to exercise any rights you have with such Personal Data, please inquire with our customer directly. If you wish to make your request directly to Sublime, please provide the name of the Sublime customer on whose behalf Sublime processed your information. We will refer your request to that customer and will support them to the extent required by applicable law in responding to your request.

Information From Third-Party Services:  We may receive information about you from other sources, including through Third-Party services that you may connect to Sublime (such as API integrations) and organizations that supplement information directly provided by you. For example, if you access our Services through a Third-Party application, such as Google Sign-In, we may collect information about you from that Third-Party application that you have made available. Information we collect through integrations and other connected Third-Party services may include your name, email address, logging information, etc. This information allows us to provide you with the Sublime services and to enhance our ability to provide you with information about our business and products.

Information from Other Sources:

We may obtain Personal Data about you from other sources. The categories of other sources from which we collect and have collected Personal Data from in the last 12 months include:

• Social networks when you interact with our Services and Marketing Activities or grant permission to us to access your information;
• Partners with which we offer co-branded services or engage in joint marketing activities; 
• Third parties that have indicated that they have your consent or are otherwise legally permitted or required to disclose your Personal Data to Sublime. For example, we may be provided with information about individuals who could be interested in using our Services (e.g., LinkedIn Sales Navigator and similar advertising companies, as well as partners and service providers); 
• Other individuals at your organization, or individuals who may refer Sublime to you, for the purpose of learning more about our Services; 
• Background screening providers that Sublime uses in the event you are selected to join our team via our careers and recruitment process. We conduct background screenings through a third-party service provider and verify information from your job application that relates to your past education, employment, credit and/or criminal history, as allowed by applicable law; 
• Recruitment agencies, who may share your Personal Data with us for purposes of helping to identify and select candidates; and
• Publicly-available sources such as data in the public domain.

Aggregated Personal Data: In an ongoing effort to better understand and serve our prospects and Service Users, Sublime often conducts research on its customer demographics, interests and behavior based on Personal Data and other information provided to us. As it relates to our Services, we may also use machine learning and performance metrics for the purposes of providing and improving Sublime’s products and services. This information may be compiled and analyzed on an aggregate basis. This aggregate information does not identify you personally. Sublime may also disclose such aggregated information in order to describe and promote our Services to current and prospective business partners, and to other third parties for other lawful purposes.

4. Our Use of Your Personal Data and Our Legal Basis for Processing

We may use your Personal Data, and may have done so over the preceding 12 months, for the following purposes and in reliance on the legal bases described in this Privacy Policy or disclosed explicitly to you in our Services or other contracts:

To communicate, including…

• With you, our customers, partners and other third parties (e.g. through email) about the Services, including to communicate changes and revisions to our policies, technical notices, security alerts, support, renewal notices, for account verification and other administrative messages in reliance on our legitimate interests in administering our Services;
• To ask you to participate in surveys or solicit feedback on our Services in reliance on our legitimate interests;
• If you fill out a web form or request support, if you contact us by other means, including via a phone call, we use your data to perform our contract with you or if we do not have a contract directly with you, in reliance on our legitimate interests in fulfilling your requests and communicating with you;
• With you about promotions, upcoming events, and news about products and services offered by Sublime (e.g. marketing newsletters, telemarketing calls, SMS, emails or push notifications) and, in some cases, our selected partners, all in accordance with your marketing preferences as necessary for our legitimate interest in conducting direct marketing, or to the extent you have provided your prior consent;
• To conduct marketing research, advertise to you, provide personalized information about us on and off our websites, and to provide other personalized content based on your activities and interests to the extent it is necessary for our legitimate interest in advertising our Services, or where necessary, to the extent that you have provided your prior consent. Please see the “Your Privacy Rights and Choices” section below to learn how you can control the processing of your Personal Data by Sublime for personalized advertising. Generally, Sublime does not rely on consent as a legal basis for processing your Personal Data, other than sending direct marketing communications to you via email. If you have provided your consent to receive email marketing from us, you have the right to withdraw your consent to email marketing at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your Personal Data conducted in reliance on other lawful processing grounds.

To process job applications, including…

• To evaluate your application, make hiring decisions, and evaluate your authorization to work, if applicable, including evaluating immigration status with respect to authorization to work;
• To communicate with you and inform you of current and future career opportunities (unless you tell us that you do not want us to keep your details for such purposes);
• To manage and improve our recruiting and hiring processes, such as soliciting feedback via candidate surveys, or to conduct reference and background checks where required or permitted by applicable local law;
• All information collected in the context of processing job applications and in general when you apply for a job with Sublime is processed in reliance on our legitimate interest in assessing the suitability of our candidates and managing our recruiting process, or, where required by applicable law, with your consent.

To provide and improve our products and services, including…

• Operating, maintaining and providing to you the features and functionality of the Services, as necessary to perform our contract with you;
• Using a person’s IP address and other online identifiers to generate aggregate, non-identifying information about how our Services are used in reliance on our legitimate interests and as necessary to perform our contract with you;
• To monitor and improve marketing campaigns and make relevant suggestions to users in reliance on our legitimate interests and, where applicable, with your consent, which can be withdrawn at any time;
• To understand you and your preferences to enhance your user experience in reliance on our legitimate interest in personalizing and improving the Services and as necessary to perform our contract with you or our customers.

To fix problems and protect the Services, you, ourselves, other customers and the public generally and to comply with applicable laws, including…

• To troubleshoot and diagnose product problems and to provide other customer support, including to help us provide, improve and secure the quality of our products, services and training and to investigate security incidents, in reliance on our legitimate interests and, where applicable, to perform our contract with you in accordance with the applicable terms;
• Using call recording data, including to provide support services and investigate security incidents in reliance on our legitimate interests and, where applicable, to perform our contract with you in accordance with the applicable terms;
• To ensure the safety and security of our Services in reliance on our legitimate interests, including verifying accounts and activity, investigating suspicious activity, detecting and preventing fraud and other illegal activities and to protect the rights and interests of us, users, and other customers’ users, third parties, and the public;
• To enforce our terms of service or protect our business in our legitimate interests;
• To comply with our legal obligations under applicable laws, we process your Personal Data when cooperating with public and government authorities, courts or regulators, to the extent this requires the processing or disclosure of Personal Data to protect our rights, or is necessary for our legitimate interest in protecting against misuse or abuse of our Services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or to respond to lawful requests.

For other legitimate business purposes in reliance on our legitimate interests, such as to update, expand, and analyze our records, identify new customers, data analysis, to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity, developing new products, enhancing, improving or modifying our Services, identifying usage trends, benchmarking, determining the effectiveness of our promotional campaigns, trials and operating and expanding our business activities.

In carrying out these purposes, we combine data we collect from different contexts or that we obtain from third parties to give you a more seamless, consistent, and personalized experience, to make informed business decisions, and for other legitimate purposes.

If Sublime intends on using any Personal Data in any manner that is not consistent with this Privacy Policy, you will be informed of such anticipated use prior to or at the time at which the Personal Data is collected.

We may use information that does not identify you (including information that has been de-identified) without obligation to you except as prohibited by applicable law. For information on your rights and choices regarding how we use your information, please see Your Privacy Rights and Choices.

5. Our Disclosure of Your Personal Data 

Sublime is not in the business of selling your information for monetary consideration. We consider this information to be a vital part of our relationship with you and we only share it where reasonably necessary to provide our services to you or enhance our relationship with you. There are, however, certain circumstances in which we may share your Personal Data with certain third parties without further notice to you. The types of entities to whom we disclose and have disclosed information within the last 12 months, include:

Affiliates: We may share all categories of your Personal Data with our affiliates for internal business purposes (e.g. for customer support, marketing, or technical operations).

Third-party service providers: Our service providers may process all categories of your Personal Data in connection with their work on our behalf and are contractually prohibited from retaining, using, or disclosing your information for any purpose other than to provide this assistance, although we may permit them to use aggregate information which does not identify you or de-identified data for other commercial purposes. We may also share your Personal Data with our marketing service providers to help us better market our products and services to you. These marketing service providers may use your Personal Data only for the purpose of helping us to provide relevant products and services information to you and are expressly obligated not to disclose your Personal Data to others. If you do not want us to use your Personal Data for these marketing purposes, you can opt out by contacting us at privacy@sublimesecurity.com.        

Vendors, Agents, Consultants and Related Third Parties: Sublime, like many businesses, sometimes hires other companies to perform certain business-related functions. Examples of such functions include mailing information, maintaining databases, analytics and marketing or advertising services, and processing payments. When we employ another entity to perform a function of this nature, we only provide them with the information that they need to perform their specific function.

Partners: Sublime may share business contact information, marketing information, troubleshooting and support data with business partners of ours (including referral partners, resellers, and managed service providers), for the purpose of assisting with sales, marketing and support activities.

Merger or acquisition: We may share or transfer all categories of your information in connection with, or during negotiations of, any proposed or actual merger, purchase, sale, change of control, or any other type of acquisition or business combination of all or any portion of our assets, or transfer of all or a portion of our business to another business.          

Legal Requirements: Sublime may disclose any categories your Personal Data if required to do so by law or in the good faith belief that such action is necessary to: (i) comply with a legal obligation or other legal process, and where required, in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (ii) protect and defend the rights or property of Sublime; (iii) act in urgent circumstances to protect the personal safety of users of the Services or the public; or (iv) protect against legal liability.

Consent: To any other person you have consented to us sharing Personal Data.

Without limiting the foregoing, we may share aggregated information which does not identify you or de-identified information with other parties or affiliates except as prohibited by applicable law. For information on your rights and choices regarding how we share your information, please see Your Privacy Rights and Choices.

6. Social Media and Technology Integrations

Our Services and Marketing Activities contain content from and hyperlinks to websites, locations, platforms, and services operated, owned, and maintained by third parties. In addition, we integrate technologies operated or controlled by other parties. For example, we hyperlink from our Site and Services to websites, social media platforms, and other services not operated or controlled by us. These other parties may use tracking technologies to independently collect information about you and may solicit information from you. Also, if you use one of their features, both we and the applicable other party may have access to and use information associated with your use of that feature. If you publicly reference our Site or Services or Marketing Activities on a social network (e.g., by using a hashtag associated with Sublime in a tweet or post), we may use your reference on or in connection with our Services and Marketing Activities.

The information collected and stored by third parties, whether through our Services and Marketing Activities, or another parties' service or device, remains subject to their own policies and practices, including what information they share with us, your rights and choices on their services and devices, and whether they store information in the U.S. or elsewhere. Sublime is not responsible for and makes no representations regarding the privacy practices of third parties. You should carefully read their own privacy policies before providing any information to such parties.

7. Cookie Policy and other Tracking Technologies  

We may, and we may allow third party service providers to, use cookies or other tracking technologies to automatically collect information from your computer or mobile device about your browsing activities over time and across different websites following your use of the Site, your interaction with our Marketing Activities as well as in connection with the Services.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including necessary cookies) you may not be able to access all or parts of the Site. For more information, and to manage how Sublime collects and stores non-essential cookies, please see our Cookie Manager.

In addition, we may use session replay technology to identify and resolve customer issues, to monitor and analyze how you use our Site and Services, and to better understand user behavior and improve our Site and Services. By continuing to use the Site or Services, you consent to the use of session replay technology. If you would like to change your settings with respect to session replay technology, you may do so within our Cookie Manager.

8. Security

Sublime takes reasonable administrative, physical and electronic measures designed to protect your Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. However, no Internet or email transmission is ever fully secure or error free. Therefore, we cannot guarantee the security of your Personal Data. Please keep this in mind when disclosing any Personal Data to Sublime via the Internet.

9. Retention

We may retain your Personal Data for as long as necessary for the purposes it was collected, or for other essential purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements. Because these needs can vary for different data types in the context of different services, actual retention periods can vary. We determine the appropriate retention period for Personal Data based on the amount, nature and sensitivity of your Personal Data processed, the potential risk of harm from unauthorized use or disclosure of your Personal Data and whether we can achieve the purposes of the processing through other means, as well as applicable legal requirements (such as applicable statutes of limitation). After expiry of the applicable retention periods, your Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of that data. For further information on applicable data retention periods, please see the section entitled Contact Sublime.

10. Transfers of Your Personal Data

Personal Data we collect may be stored and processed in your region, in the United States, Canada, the United Kingdom or any other country where we or our affiliates, subsidiaries or service providers maintain facilities. We maintain primary data hosting centers in the United States (with additional hosting locations in the EU (Ireland), UK, Canada and Australia). We take steps designed to ensure that the data we collect under this Privacy Policy is processed as described hereunder and according to applicable law wherever the data is located.

By visiting the Site or using the Services, you acknowledge that we may transfer Personal Data from the European Economic Area (EEA), UK and Switzerland (collectively, “Europe”) to other countries that may not have the same level of data protection that applies in your jurisdiction, and you authorize Sublime to transfer, store, and process your Personal Data to and in the United States and other countries. In these cases, we use a variety of legal mechanisms to ensure that the recipient of your Personal Data offers an adequate level of protection, including entering into the standard contractual clauses for the transfer of European data approved by the European Commission, pursuant to the Data Privacy Framework(s) discussed below, or where required, we will ask you for your prior consent.

Data Privacy Framework

Sublime complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) (EU-U.S. DPF, UK Extension, and the Swiss-U.S. DPF, collectively, the “DPF” or “Data Privacy Framework”) as set forth by the U.S. Department of Commerce regarding the processing of personal data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland in reliance on the DPF. Sublime has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles, the UK Extension Principles, or the Swiss-U.S. DPF Principles (collectively, “DPF Principles”) as applicable with respect to such personal data. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Sublime’s certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission has jurisdiction over Sublime’s compliance with the DPF. Pursuant to the EU-U.S. DPF, the UK-U.S. DPF and the Swiss-U.S. DPF, EU, UK and Swiss individuals have the right to obtain Sublime’s confirmation of whether we maintain Personal Data relating to them in the U.S. Upon request, Sublime will provide EU, UK and Swiss individuals with access to the Personal Data that Sublime holds about them. EU, UK and Swiss individuals may also correct, amend, or delete Personal Data Sublime holds about them where it is inaccurate, or has been processed in violation of the DPF Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy or where the rights of persons other than the individual would be violated. An EU, UK or Swiss individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the U.S. under the DPF should direct their query to privacy@sublimesecurity.com. If requested to remove data, Sublime will respond within a reasonable timeframe. Sublime will provide EU, UK and Swiss individuals with the choice to opt-out from the sharing of their Personal Data with any third parties (other than our agents or those that act on our behalf or under our instruction), or before Sublime uses it for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized. For more information about rights afforded to EU, UK and Swiss individuals, please see Section B of the Your Privacy Rights & Choices section below. In addition to any other disclosures described in this Privacy Policy, in certain situations, Sublime may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In the context of an onward transfer, Sublime has responsibility for the processing of personal data it receives under the DPF Principles including the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. These responsibilities are described in the DPF Principles. Sublime shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Sublime commits to resolve DPF Principles-related complaints about our collection or use of your Personal Data in compliance with the DPF. If you have any questions, complaints and/or other concerns regarding our collection and use of your Personal Data received in reliance on the DPF, please contact us at privacy@sublimesecurity.com. In compliance with the DPF, Sublime will refer unresolved complaints concerning the handling of personal data received in reliance on the DPF to JAMS, an alternative dispute resolution provider based in the U.S. If you are an EU, UK, or Swiss individual and you do not receive timely acknowledgment of your DPF-related complaint from Sublime, or if we have not addressed your DPF-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you. If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms as set forth in Annex 1 of the Data Privacy Framework Principles. You may also lodge a complaint with your local data protection authority, with the Data Protection Authority in Ireland, namely the Data Protection Commission, at dpo@dataprotection.ie, the UK Information Commissioner’s Office (ICO), at https://ico.org.uk/, or Swiss Federal Data Protection and Information Commissioner (FDPIC) at https://www.edoeb.admin.ch/edoeb/en/home.html.  

11. Additional Disclosures for U.S. Residents

This section describes how Sublime collects, uses and discloses your Personal Data pursuant to the following, and any similar, U.S. state privacy laws: 

• the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA); 
• the Colorado Privacy Act (CPA); 
• the Connecticut Data Privacy Act (CDPA);
• the Delaware Personal Data Privacy Act (DPDPA);
• the Iowa Consumer Data Protection Act (ICDPA);
• the Montana Consumer Data Privacy Act (MCDPA);
• the Nebraska Data Privacy Act (NPDA);
• the New Hampshire Privacy Act (NHPA);
• the New Jersey Data Protection Act (NJDPA);
• the Oregon Consumer Privacy Act (OCPA);
• the Virginia Consumer Data Protection Act (VCDPA); and 
• the Utah Consumer Privacy Act (UCPA).

This section applies only if you live in the US states of California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Virginia, Utah or any other US state that has enacted similar privacy laws and only to the extent such laws apply to you and/or Sublime (collectively, “US Privacy Laws”). This section also describes the rights you have with regard to your Personal Data, which apply when these laws take effect in these states. This section does not apply to any of our employees, owners, directors, officers, or contractors.

Since the rules and regulations implementing some of these laws have not yet been finalized, we will continue to update our processes and disclosures as well as this section once these implementing rules and regulations are finalized. Certain terms used herein have the meanings given to them in the respective state privacy laws.

Categories, Sources, and Use of Personal Data we collect: 

The categories of Personal Data we collect and the sources from which we collect it are described in detail in the section entitled The Personal Data We Collect. The business and commercial purposes for which we collect this information are described in the section entitled Our Use of Your Personal Data.

In addition, and specifically with respect to job applicants, Sublime may collect Personal Data:

• that contains characteristics which may be protected classifications under California or Federal Law solely to the extent such characteristics are voluntarily disclosed to us or contained in any content transmitted across or stored on our network (e.g. age, ethnicity, race, languages spoken and gender);
• which includes sensitive Personal Data as defined under US Privacy Laws (such as social security number, driver’s license, state identification card, passport number, the contents of mail/email and text messages (unless we are the intended recipient of the communication), precise geolocation, and health information).

We collect sensitive Personal Data in relation to job applicants for various purposes, including: 

• to uniquely identify you; 
• to comply with our legal obligations pursuant to applicable federal and state employment laws and regulations, including collecting and disclosing Personal Data as required by law (e.g., for minimum wage, payroll tax, as well as to comply with equal opportunity and anti-discrimination laws);
• to facilitate and provide reasonable accommodations; and
• to facilitate other business purposes as enumerated under the US Privacy Laws.

As defined by applicable US Privacy Laws, sensitive Personal Data shall be treated as Personal Data, except where it is collected or processed for “the purpose of inferring characteristics about a consumer.” We do not collect or process sensitive Personal Data for the purpose of inferring characteristics about individuals.

Sale or Disclosure of Personal Data

This section only applies where Sublime is acting as a business, and not a service provider, under applicable US Privacy Laws. The categories of third parties to whom we "disclose" your Personal Data, and the categories of information disclosed for a business purpose are described in the section entitled Our Disclosure of Your Personal Data.

When we disclose Personal Data for a Business Purpose, we enter into a contract that describes the purpose and requires the recipient to keep that Personal Data confidential and use it only for the purposes specified in the contract, and not for any other purpose. We share or make your information available, including any Personal Data, in the circumstances described below.

While Sublime does not sell Personal Data in exchange for any monetary consideration, we may share Personal Data for cross-context behavioral advertising purposes and for other benefits as defined by certain US Privacy Laws, such as the CCPA under Cal. Civ. Code 1798.140(ad)(2). Some of our processing activities may also constitute “targeted advertising” as that term is defined under certain US Privacy Laws.

We have shared, in the preceding 12 months, Personal Data as necessary for business purposes, as defined by Cal. Civ. Code 1798.140. This includes sharing personal identifiers, commercial information, and internet or other electronic network activity with customer relationship management, consulting, email, product feedback, helpdesk services, advertising networks and website analytics companies. 

We make Personal Data available to the following categories of third parties:

• partners (including analytics providers);
• marketing service providers; 
• affiliated persons, third-party service providers and partners assisting us in the operation, management, improvement, research and analysis of the Site, Marketing Activities and Services. Affiliated persons or our third-party service providers may augment, extend, and combine non-personally identifiable information with data from additional third-party sources in order to assist us with the above. Use of information by affiliated persons and third-party service providers will be subject to this Policy or an agreement that is at least as restrictive as this Policy.

You have a right to direct Sublime not to sell or share your Personal Data. We do not have actual knowledge that we have sold or shared Personal Data of individuals under the age of 16 for targeted advertising or cross-context behavioral advertising purposes.

12. Your Privacy Rights & Choices

Sublime provides ways for you to access and delete your Personal Data as well as exercise other rights that give you certain control over your Personal Data.

A. All Users

• Email Subscriptions. You can always unsubscribe from our commercial or promotional emails by clicking unsubscribe in those messages. We make every effort to promptly process all unsubscribe requests. If you choose to no longer receive marketing information, we may still communicate with you regarding such things as your security updates, product functionality, responses to service requests, or for other transactional, non-marketing related reasons.
• You may exercise choice regarding the use of cookies as described in our Cookie Manager.

B. EEA, UK and Switzerland Residents and Visitors

If you are a resident of or visitor from the EEA, UK or Switzerland, where we are acting as a data controller, you may have the following rights with regard to the Personal Data we control about you:

• You can access, correct, update and delete your Personal Data by emailing us at privacy@sublimesecurity.com. If you are a Service User, you can also do this by signing into your account and editing your information as desired.
• You can object to processing of your Personal Data, ask us to restrict the processing of your Personal Data or request portability of your Personal Data. To exercise these rights, please send an email to privacy@sublimesecurity.com.
• If we have collected and processed your Personal Data with your consent, then you can withdraw your consent at any time for future processing. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Data conducted in reliance on lawful processing grounds other than consent.
• You have the right to complain to a data protection authority about our collection and use of your Personal Data but we encourage you to first contact us with any questions or concerns. 
• Sublime does not engage in any automated decision making with your Personal Data.

C. US Privacy Rights

Subject to certain limitations (as defined under applicable law), you have the rights listed below with respect to the Personal Data that we collect about you when Sublime is acting as a business under applicable US Privacy Laws.

Right to Know 

You have the right to request access to, or a copy of the Personal Data we have collected, used, disclosed and sold about you, including:

• The categories of Personal Data we have collected, used, disclosed or sold;
• The categories of sources from which the Personal Data is collected;
• The business or commercial purpose for collecting your Personal Data;
• The categories of third parties with whom we have shared your Personal Data; 
• The specific pieces of Personal Data we have collected about you;
• If we disclosed your Personal Data for a Business Purpose, the Business Purpose for which such Personal Data was disclosed, and the Personal Data categories that each category of recipient obtained; and
• If applicable, (1) the categories of your Personal Data that we have made available for valuable consideration; (2) the categories of third parties to whom such Personal Data was made available; and (3) the category or categories of Personal Data that we have made available to each category of third parties.

You also have a right to know if we have sold or shared your Personal Data for a business purpose and, if so, the categories of Personal Data sold or disclosed and the categories of third parties to whom such information was sold or disclosed, along with the business or commercial purpose for which such information was sold or disclosed.

Right of Access

You may request a copy of the Personal Data we have collected about you.

Right to Delete 

You have the right to request that we delete the Personal Data we have collected from you (and direct our service providers to do the same) and retained, subject to certain limitations under applicable law. 

Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Data from our records, unless an exception applies.

Right to Correct 

You have the right to correct inaccurate Personal Data that we maintain about you. We will take into account the nature of the Personal Data and the purposes for which we process it. We may require documentation from you in order to process your request, including your name, email address, phone number, and request details.

Right to Opt-Out of Sale/Sharing 

You may also have the right to opt out of the sale or sharing of your Personal Data. You can request to opt out of such “sale” or "sharing" of your Personal Data by submitting a request to us by sending us an email at privacy@sublimesecurity.com.

If you decide to opt-out, we will stop selling or sharing your information with third parties. However, please note that for example your use of our Website may still be tracked by us and our service providers to perform functions that are necessary for our business such as hosting our Website, ensuring there is no fraud, etc. These entities are contractually obligated to keep this information confidential and will not use it for any purpose other than for the services they provide to our business.

You may change your mind and opt back in at any time by sending us an email at privacy@sublimesecurity.com. We will only use Personal Data provided in an opt-out request to review and comply with the request.

Right to Limit the Use of Sensitive Personal Data

Sublime does not knowingly collect, use or disclose any sensitive personal information, as defined by applicable US Privacy Laws, for the purpose of inferring characteristics about you. Accordingly, submitting a request to limit the use of your sensitive Personal Information is not required.      

Right to Not Receive Discriminatory Treatment

You have the right to not receive discriminatory treatment for exercising your US Privacy Laws privacy rights. We do not use the fact that you have exercised or requested to exercise any rights under applicable US Privacy Laws for any purpose other than facilitating a response to your request.

You can contact us with your request through one of the contact methods described under the Contact Sublime section below. 

We may ask you to provide information that will enable us to verify your identity in order to comply with your request to exercise your privacy rights. Consumers in some states may also authorize an agent to make requests on their behalf. In particular, if you are a California resident, or if you are an authorized agent wishing to exercise CCPA rights on behalf of someone else, please contact us via email at privacy@sublimesecurity.com. Please include your full name and email address along with why you are writing so that we can process your request in a timely manner. In some instances, we may decline to honor your request if an exception applies under applicable law. We will respond to your request in accordance with the requirements of applicable law.

Please note that if your information has been processed by Sublime on behalf of a customer and you wish to exercise any rights you have with such Personal Data, please inquire with our customer directly. If you wish to make your request directly to Sublime, please provide the name of the Sublime customer on whose behalf Sublime processed your information. We will refer your request to that customer and will support them to the extent required by applicable law in responding to your request.

Please note that to protect your Personal Data, we will verify your identity by a method appropriate to the type of request you are making. We may also request that your authorized agent (as applicable) have written permission from you to make requests on your behalf, and we may also need to verify your authorized agent's identity to protect your Personal Data.

We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Data provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

You may have the right to appeal our decisions made with respect to your request. To appeal our decision on your request, you may contact us through one of the contact methods described under the section titled Contact Sublime. Please enclose a copy of, or otherwise specifically reference, our decision on your request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.

You may also request information about our practices related to our disclosure of your Personal Data to certain third parties for their direct marketing purposes. You may be able to opt out of our sharing of your Personal Data with unaffiliated third parties for the third parties’ direct marketing purposes in certain circumstances. You can contact us with your request through one of the contact methods described under the section titled Contact Sublime.

California’s Shine the Light law

If you are a California resident, you are entitled once a year, free of charge, to request and obtain certain information regarding our disclosure, if any, of certain categories of Personal Data to third parties for their direct marketing purposes in the preceding calendar year. To request the above information, please email us at privacy@sublimesecurity.com or write to us at 712 H St NE, PMB 14, Washington, DC 20002 with a reference to "CA Disclosure Information" and include your name, street address, city, state, and ZIP code. In your request, please attest to the fact that you are a California resident and provide a current California address. We will reply to valid requests by sending a response to the email address or physical address from which you submitted your request. Please note that Sublime is not required to respond to requests made by means other than through the provided email address or mail address. Please note that not all information sharing is covered by the “Shine the Light” requirements and only information on covered sharing and the relevant details required by the Shine the Light law will be included in our response.

13. Children's Personal Data

Our Services and Marketing Activities are not intended for users under the age of 16, and Sublime does not knowingly collect Personal Data from children under the age of 16 in a manner that is not permitted by the U.S. Children's Privacy Protection Act ("COPPA") or other applicable laws. If you are under the age of 16, please do not use or submit any Personal Data through the Services. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce our Privacy Policy by instructing their children never to provide Personal Data without their permission. If you have reason to believe that a child under the age of 16 has provided Personal Data to Sublime through the Services, please contact us at privacy@sublimesecurity.com or send us a letter to the mailing address in the section entitled "Contact Sublime" below. 

We do not knowingly "sell" or “share” as those terms are defined under US Privacy Laws, the Personal Data of minors under 16 years old who are U.S. residents.‍

14. Links to Third-Party Web Sites

The Site and Services may contain links to other web sites, resources or services not operated or controlled by Sublime (the “Third Party Sites”). The policies and procedures we described here do not apply to the Third Party Sites. The privacy practices of these websites and services will be governed by their own policies. 

We make no representation or warranty as to the privacy policies of any third parties, including the providers of third party applications. If you are submitting information to any such third party through our Sites or Services, you should review and understand that party’s applicable policies, including their privacy policy, before providing your information to the third party. For example, it is possible that your payment information (such as credit card or debit card information) may be collected and stored by third party payment vendors. We suggest contacting those third parties directly for information on their privacy policies or if you have any questions or concerns about their privacy policies and practices.

15. Changes to Sublime’s Privacy Policy

The Services and our business may change from time to time. As a result, at times it may be necessary for Sublime to make changes to this Privacy Policy. Sublime reserves the right to update or modify this Privacy Policy at any time and from time to time without prior notice. Please review this policy periodically, and especially before you use our Sites or our Services or engage with our Marketing Activities. This Privacy Policy was last updated on the date indicated above. Your continued use of the Services after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of such revised Privacy Policy. We encourage you to review this Policy frequently to be informed of how Sublime is protecting your Personal Data.

16. Contact Sublime

Please feel free to contact us if you have any questions or concerns about Sublime’s Privacy Policy or our privacy practices, including if you need to access this Policy in an alternative format, or if you wish to lodge a complaint about our privacy practices.

You may contact us as follows: privacy@sublimesecurity.com, by using the Your Privacy Choices Form, or by registered mail at 712 H St NE, PMB 14, Washington, DC 20002.

Sublime’s GDPR Article 27 local representatives are:

Country: EEA

Osano International Compliance Services Limited

ATTN: 9MW63 Dublin Landings

North Wall Quay

Dublin 1

D01C4E0

Country: United Kingdom

Osano UK Compliance LTD

ATTN: 9MW6

42-46 Fountain Street

Belfast

Antrim

BT1 - 5EF