Mimecast Privacy Statement

    Topics covered in this Privacy Statement include:

    Welcome to Mimecast! Mimecast Services Limited (“Mimecast”, “we”, “our”, “us) is a global company, with offices and/or affiliates in the United Kingdom (“UK”), Europe, North America, Australia, Israel, Jersey, United Arab Emirates, South Africa, Singapore, and India. We serve companies that have offices in those jurisdictions and across the world. Our website located at www.mimecast.com (the “Site”), provides information about our products and services (the “Services”) and is operated by Mimecast. Mimecast Services Limited has a registered office at 1 Finsbury Ave Floor 4, London, EC2M 2PF, UK (registered in England and Wales, 4901524).

    For individuals in the European Economic Area (the “EEA”), please be advised that our local operating entities are Mimecast Germany GmbH, Mimecast Netherlands B.V., and Mimecast France SARL. Mimecast Germany GmbH has a registered office at Parkstadt Schwabing, Lyonel-Feininger-Straße 26, 80807 München, Germany (Registration: HRB 234744). Mimecast Netherlands B.V. has a registered office at Stationsplein 12, 1211 EX Hilversum, The Netherlands (Registration: 30214369). Mimecast France SARL has a registered office at 4 rue de Marivaux 75002 Paris, France.

    This Privacy Statement describes how Mimecast uses and protects information about an identified or identifiable natural person (collectively, “Personal Data”) collected through the Site, offline communications, as well as at programs and events, and explains our marketing practices generally. This Privacy Statement is incorporated into, and is a part of, our Terms of Use, found here, which governs your access to and use of the Site. It also addresses Personal Data processed by Mimecast during our engagement with prospective employees, and other Personal Data controlled by Mimecast in the normal operation of our business. By using the Site or otherwise giving us your Personal Data, you agree to the terms of this Privacy Statement. If you do not agree with this Privacy Statement in general or any part of it, you should not access the Site or otherwise give us your Personal Data.

    Mimecast is the controller for the Personal Data processed as described in this Privacy Statement. For Personal Data of end-users who interact and use the Services (“End-User Data”), Mimecast acts as a processor. If your company (our “Customer”) engages Mimecast to provide Mimecast Services, your company and Mimecast will enter into a separate services agreement and, if applicable, a data processing addendum (collectively, the “Agreement”) that will, among other things, govern Mimecast’s processing of End-User Data in connection with the operation of the Services, including data collected through certain features made available through the Site. Any Agreement between a Customer and Mimecast will take precedence over any conflicting provision in this Privacy Statement. The Agreement will apply to your use of our Customer portal, and any End-User Data provided or generated by creating your user account and your use of the Customer portal. If you are an end-user of one of our Customers, please note that as data controllers, our Customer is responsible for disclosing your rights with respect to End-User Data and any other information regarding the collection, use, and processing of such data.

    When we transfer Personal Data from the European Union, UK, and/or Switzerland, Mimecast complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union, UK, and Switzerland to the United States.

    Mimecast has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles, including the onward transfer liability provisions. If there is any conflict between the terms in this Privacy Statement and the Data Privacy Framework Principles (found here), the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit: https://www.dataprivacyframework.gov/list

    If you have questions about this Privacy Statement or our practices regarding your Personal Data, you can reach us by using the contact information provided below. This Privacy Statement is updated as of August, 2024.

    What type of Personal Data do we collect and how do we use it?

    We generally collect Personal Data, such as contact and business information and other details of your engagement with Mimecast, and use it to provide, improve, and develop our operations and to provide you support when you need it. We also may use the Personal Data to communicate with you, for example, about your account, security updates, and product information.

    Collecting Personal Data

    The Personal Data we collect for the above purposes include:

    • Your name, email address, postal address or telephone number;
    • Your title, company name and address;
    • Details of the resources you access on the Site and any data you download (see “What Kind of Technical Information Do We Collect” for additional details);
    • Details of other engagements with Mimecast, such as trade show interactions; and/or
    • Candidate employment-related data.

    In certain instances, we may combine one type of information with another, and store them together in our records. In all cases, however, we strive to limit the amount of Personal Data we collect and store.

    We ask that you not send or otherwise share with us any sensitive Personal Data, which includes but is not limited to your government-issued ID numbers (e.g., Social Security number, national identification number, or driver’s license number), racial or ethnic information, political or religious opinions, or your health information.

    We collect Personal Data in a variety of ways including:

    • Through web pages on the Site (e.g., when you request a white paper or complete a form for general or partner inquiries);
    • Through responses to an online email or electronic promotion or survey;
    • Through online forums and social networks (please note that any Personal Data that you choose to submit to one of our online forums or social networks may be read, collected, or used by others who visit these community areas and may be used to send you unsolicited messages. You should carefully consider whether you wish to submit Personal Data to these forums or social networks and should tailor any content you submit appropriately and in accordance with the relevant terms of use); and/or
    • Over the telephone.

    Using Personal Data

    As it is in our legitimate interest to be responsive to you and to ensure the proper functioning of our Services and organization, we will use your Personal Data in the following ways:

    • To assist in responding to your inquiries, including answering your questions on pricing and technical information relating to our Services;
    • To learn more about your requirements (through surveys and the like) in support of development of our Services;
    • To carry out research on our users' demographics;
    • To request your opinion and feedback on areas of the Site or in connection with our Services;
    • At your request to register you for a trial of our Services; and/or
    • At your request to provide you with a quote for our Services.

    Where required by applicable law, we obtain your consent to process your Personal Data to send you information we think you will find useful about our Services or, at your request, subscribe you to our newsletters and alerts concerning the Services we provide. You can can opt-out of such communications, or otherwise change your subscription preferences anytime though our Preference Center by clicking here.

    We may obtain information (e.g., contact information including email addresses and phone numbers) from third parties (e.g., those offering business-contact-data enrichment services) to combine with the Personal Data we have gathered as described in this Privacy Statement. As it is in our legitimate interests to ensure we can communicate with you and to grow our business, we use this Personal Data, to improve our marketing activities and to ensure the Personal Data we hold are relevant and up-to-date. Also, if we provide a means for you to refer a third party to the Site, we will send the third party an email on your behalf with details about the Site. You can unsubscribe to emails by following the unsubscribe instructions in our Preference Center by clicking here, through marketing email communications sent to you, or you can raise a request via our dedicated online portal here or by post at the address provided below. We provide additional information about your Data Subject Rights and how you may exercise them below.

    How do we share Personal Data?

    We share your Personal Data as described in this Privacy Statement or as necessary to provide any Services you have requested or authorized. We share Personal Data with Mimecast-controlled affiliates, partners, properly vetted sub-processors and third-party service providers throughout the world, when required by law, to protect the security our customers with respect to the information that passes through our Services, as well as to protect the rights or property of Mimecast.

    Sharing and disclosing Personal Data

    We do not sell or rent your Personal Data to third parties. We do not share Personal Data, except as expressly provided in this Privacy Statement. We share your Personal Data with the following recipients for the following reasons (keep in mind that these third parties and reasons may not be applicable to you):

    • Our partners to allow them to provide you with marketing information on our behalf as described above.
    • Third-party service providers, for business purposes in our legitimate interest or to perform a contract with you. Such third-party service providers that assist us with (i) website hosting and maintenance; (ii) sending communications; (iii) updating marketing lists and database management; (iv) analyzing data; and (v) the provision of the Site and the marketing of our Services. These service providers will only use your Personal Data to the extent necessary to perform their functions and are subject to contractual obligations to maintain the security and confidentiality of all information they process.
    • For legal and security reasons and to protect our Services and business, in our legitimate interest or as required by law. We may share, disclose, or provide your Personal Data to third parties: (i) when attempting to collect a payment or debt; (ii) when required to combat fraud or to protect our interests; (iii) to enforce our Privacy Statement, our Terms of Use, or any terms of an Agreement with Mimecast; (iv) in response to a legal obligation or if we have determined that it is necessary to share your Personal Data to comply with applicable law or any obligations thereunder, including cooperation with law enforcement, judicial orders and regulatory inquiries; (v) to protect the interests of, and to ensure the safety and security of us, our Customers, third parties or the public; and (vi) to defend or exercise legal claims.
    • With our affiliates, in our legitimate interests. We may share your Personal Data with companies within our corporate family.
    • In connection with a corporate sale, reorganization, dissolution or the sale of any business or assets, bankruptcy or other business transaction or re-organization, in our legitimate interests. Personal Data will be included in the transferred assets. As a result, the successor of Mimecast will continue to use your Personal Data as set forth in this Privacy Statement.

    Where is my Personal Data transferred?

    Your Personal Data may be transferred to Mimecast-controlled affiliates and properly vetted sub-processors throughout the world. Your Personal Data may also be transferred to our third-party service providers who are under contractual obligations to ensure the safety and confidentiality of such data. Personal Data collected within the European Economic Area (“EEA”) Switzerland, UK may be transferred to countries outside of the EEA, Switzerland, and UK. We utilize a variety of mechanisms to ensure the security and legitimacy of these transfers.

    Transferring your Personal Data

    The Personal Data that we collect from you will be transferred to, stored and processed by our affiliates, properly vetted sub-processors and third-party service providers. Whenever we transfer your Personal Data outside the EEA/UK/Switzerland, we ensure a similar degree of protection is afforded by ensuring at least one of the following safeguards is implemented:

    • the transfer is to a country that has been deemed to provide an adequate level of protection by the relevant authority governing such transfers; or
    • the transfer is under the approved model clauses for the transfer of personal data to third countries (i.e., the standard contractual clauses).

    We will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with this Privacy Statement. Each Mimecast subsidiary and affiliate receiving your Personal Data is bound by an Intercompany Agreement that incorporates the applicable standard contractual clauses. All sub-processors and third-party service providers are under appropriate contractual obligations to ensure the safety and confidentiality of your Personal Data.

    How secure is my Personal Data?

    We have a dedicated internal security organization that implements and operates a comprehensive set of security controls to protect your Personal Data.

    Security

    At Mimecast, we are committed to maintaining the security of the Personal Data we collect from activity on this Site and from other marketing efforts, as well as through our Services. We have therefore implemented technical and operational measures that are intended to reduce the risk of accidental destruction or loss, or the unauthorized disclosure or access to Personal Data that are collected either through our marketing efforts or the Services. You can learn more about our technical and organizational measures by clicking here.

    These technical and organizational measures are periodically reviewed and enhanced as necessary and only authorized personnel have access to Personal Data. While we use all reasonable efforts to prevent the loss or misuse of your Personal Data, we cannot guarantee the security of any Personal Data you submit via the Site or that the Personal Data that you supply will not be intercepted while being transmitted to and from us over the Internet. Therefore, you acknowledge and agree that we assume no liability regarding the theft, loss, alteration, or misuse of your Personal Data, including, without limitation, such Personal Data that has been provided to third parties or other users, or with regards to the failure of a third party to abide by the agreement between us and such third party.

    What kind of technical data do we collect?

    In addition to the Personal Data described above, we collect technical data and other information when you use our Services or visit our Site. You provide some of this Personal Data directly, such as when you register for a webinar, administer your organization’s Mimecast account, or contact us for support. We collect some of it by recording how you interact with our Site by, for example, using technologies like cookies or collecting basic device information like your browser type. We provide more information about cookies below.

    Technical information collected automatically from the Site

    When you visit the Site, our systems automatically collect the following information about your visit (“Other Data”):

    • the type of internet browser you use;
    • the language of your browser;
    • the website from which you have come to the Site;
    • the webpages you view on our Site; and
    • the links you clicked on our Site;

    We also collect your public IP address (the unique address which identifies your computer on the internet). This IP address is typically collected on a country or regional level. We collect your IP address to verify that requests are legitimate and we may automatically cross-reference your public IP address with your domain name (identified collectively as “IP Information”). "Other Data" does not include IP Information.

    As it is in our legitimate interest to be responsive to you and to ensure the proper functioning of our Services and Site and to improve our Site and Services, we use this Other Data and IP information to assist us in:

    • providing, improving, and administering the Site;
    • providing customer care and support services;
    • providing security and safety to our Site visitors;
    • monitoring activity usage of the Site; and
    • measuring the effectiveness of the content we serve.

    We do not use Other Data and IP Information to learn any information about you personally but it may be associated by us or our third party service providers with Personal Data that has been provided by you or otherwise available to or held by us. The collection of this Other Data and IP Information will cease once your use of the Site has ceased, depending on your use of our Services your IP Information may still be collected. However, the Other Data and IP Information collected may be retained, accessed, and used by us as long as necessary for the purposes described herein.

    What about cookies?

    We use cookies and similar technologies to enhance our Services and Site. These technologies allow us, among other things, to store your preferences and settings, make it easier when you to sign-in, and analyze how our Site and Services are performing. You can learn more about our cookie practices below or by clicking here.

    We (or our third-party service providers) may collect your Personal Data using cookies, pixel tags, web beacons, embedded web links, and similar technologies for:

    • Storing your preferences and settings - We may store Personal Data in a cookie so you will see relevant local information when you return to the Site. We also may save preferences, like language and browser so these do not have to be reset each time you return to the Site.
    • Detecting abuse or fraud on the Site.
    • Social Media - Our Site includes certain social media features (such as a “share” or “like” button). Those features are provided by the applicable social media platform (such as Twitter or Facebook). Where Personal Data is collected through the social media feature, the use of that Personal Data is governed by the privacy policy published by the social media platform that provides the feature.
    • Internet-Based Advertising - We also use cookies, Other Data and IP Information to target advertising for our Services on third party sites.
    • Showing advertising - We use cookies to record how many visitors have clicked on an advertisement and to record which advertisements you have seen so you don’t see the same one.
    • Analytics - We use cookies to gather usage and performance data for the Site.

    For example, we use Google Analytics, a web analytics service provided by Google, Inc., to evaluate your use of the Site, compile reports on activity, and provide other services relating to Internet usage. Google Analytics uses first-party cookies that store information, such as what time the current visit occurred, whether the visitor has been to the web page before, and what site referred the visitor to the web page.

    We have also implemented Display Advertising Remarketing with Google Analytics to advertise online. This means that third-party service providers, including Google, display our ads on sites across the Internet and that we and third-party service providers, including Google, use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie, see: http://www.google.com/doubleclick) together to inform, optimize, and serve ads based on your past visits to the Site.

    By using the Site, you consent to the processing of data about you by Google in the manner and for the purposes set out above. If you choose, you can opt out of the processing of data about you by Google for Display Advertising and/or customize the ads by using Google's Ads Settings at: http://www.google.com/settings/ads. You can opt out of the processing of Personal Data about you by Google generally by turning off cookies in the preferences settings in your browser, or by downloading and installing Google Analytics Opt-out Browser Add-on at http://tools.google.com/dlpage/gaoptout. The Google Analytics Opt-out Browser Add-on does not prevent information from being sent to the Site itself or to other web analytics services.

    For more information on Google Analytics, please visit: https://www.google.com/analytics/.

    You can choose to reject certain collection technologies (such as cookies) but then you might not be able to take advantage of many of our features. You can read more about cookies here.

    How long will you use my Personal Data?

    We will only retain your Personal Data and Other Data for as long as reasonably necessary to fulfil the purposes we collected it for. We will also retain and use your Personal Data and Other Data to the extent necessary to comply with our legal obligations, resolve disputes and enforce our terms and conditions, other applicable terms of service and our policies.

    To determine the appropriate retention period, we consider the amount, nature, and sensitivity (if any) of the Personal Data, the potential risk of harm from unauthorized use or disclosure, and the purposes for which we process your Personal Data and whether we can achieve those purposes through other means. We also consider applicable legal, regulatory, tax, accounting, and other requirements.

    In some circumstances, you can ask us to delete your data. Please see “What Are My Data Subject Rights and How Do I Exercise Them?” below.

    What is your commitment to children’s online privacy?

    Our Site is not directed at children. Mimecast does not knowingly accept online Personal Data from children under the age of 18 through our Site. If you are under 18 or otherwise would be required to have parent or guardian consent to share Personal Data with Mimecast through our Site, you should not send any information about yourself to us through our Site.

    The Site shall, from time to time, contain links to external sites. Our Privacy Statement does not apply to these other sites. We are not responsible for the privacy policies or the content of such sites and you should familiarize yourself with such policies upon use of those sites.

    What are my Data Subject Rights and how do I exercise them?

    You have rights with respect to the processing of the Personal Data that you have provided to us. For example, you may view, edit, delete, or move your Personal Data. In certain circumstances, you may object or withdraw your consent to certain processing of your Personal Data. You may also lodge a complaint with a supervisory authority. Any of these rights may be exercised at any time. For customers of our customers, please contact your system administrator. For Mimecast direct customers/partner/contacts, you can exercise your rights via our dedicated online portal. NOTE: We may ask you to verify your identity.

    Personal Data rights. You have the right to access and receive a copy of Personal Data that we hold about you, to rectify any Personal Data held about you that is inaccurate or, in certain circumstances, request the deletion of Personal Data held about you. You also have the right of data portability for Personal Data you have provided to us – this means that you can obtain a copy of your Personal Data in a commonly used machine-readable electronic format so that you can manage and move it, or request that we send it to a third party. You may have the right to restrict or object to the processing of your Personal Data by us, including for direct marketing. Where we rely on consent to process your personal data, you have the right to withdraw your consent at any time via our dedicated online portal here. Please note these rights only apply in certain circumstances and may be limited by law. For example, where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests or where we are required by law to retain your Personal Data. We will respond to requests without undue delay and at least within one month (though this may be extended by a further two months in certain circumstances).

    Marketing. You have the right to ask us not to process your Personal Data for marketing purposes. You can exercise your right to prevent such processing at any time by contacting us at via our dedicated online portal here, or by managing your subscription preferences through our Preference Center by clicking here.

    Complaints. In compliance with the Data Privacy Framework Principles, Mimecast commits to resolve complaints about our collection or use of your Personal Data. EU, UK, and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework Statement should first contact our dedicated online portal here and we will respond to your request. This is without prejudice to your right to file a claim with a supervisory authority (e.g., the Information Commissioner’s Office in the UK). If you have an unresolved concern relating to your Personal Data that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) JAMS for more information or to file a complaint. Under certain conditions, more fully described on the Data Privacy Framework Program website linked above, you may be entitled to invoke binding arbitration to resolve your complaint.

    What about changes to this Privacy Statement?

    We will occasionally update this Privacy Statement. When we do, we will post a prominent notice in this section of this Privacy Statement notifying users when it is updated. For material changes (i.e., substantially new practices you wouldn’t expect from us or that we didn’t previously tell you about), will take any steps as required by applicable law. The update Privacy Statement will be effective as of the time of posting, or such later date as may be specified in the updated Privacy Statement.

    To subscribe to notifications for changes to this and other data privacy related information, please click here and subscribe to the “Trust Center Update” feed.

    How do I contact you?

    We have a global Data Protection Officer and team to provide you the support you need.

    General Privacy Inquiries: Please submit any questions, concerns or comments you have about this Privacy Statement or any requests concerning your Personal Data to our Data Protection Officer by email to dpo@mimecast.com, or writing to us at:

    Mimecast North America, Inc.
    Attn: Trust Department
    191 Spring Street
    Lexington, MA 02421 USA
    +1 (617) 393-7050

    Back to Top