Effective Date: May 15, 2021
Consumers residing in California are afforded certain additional rights with respect to their personal information under the California Consumer Privacy Act or (“CCPA”) (California Civil Code Section 1798.100 et seq.). If you are a California resident, these terms and conditions apply to you.
We provide the following additional disclosures related to the collection, use, and disclosure of personal information under the CCPA:
Categories of Personal Information Collected. In the preceding 12 months, we have collected the categories of personal information listed below.
Category of Personal Information
Categories of Third Parties to Whom Disclosed
Sale of Personal Information. Evernote does not, and will not, sell the personal information of our users. Evernote has not sold the personal information of our users for a business or commercial purposes in the preceding 12 months.
California consumers have the right to request access to the specific pieces of personal information we have collected about them in the last 12 months. You may also request additional details about our information practices, including the categories of personal information we have collected about you, the categories of sources of such collection, the business or commercial purpose for collecting personal information, the categories of third parties with whom we share your personal information, and the categories of personal information we have disclosed about you in the preceding 12 months. If you are a California consumer, you also have the right to (i) request deletion of your personal information (subject to certain exceptions), (ii) opt out of sales of personal information, and (iii) receive equal service and price and not be discriminated against even if you exercise any of your other CCPA rights.
California consumers may make requests by following these instructions:
Submit a ticket through our Help and Learning portal located at https://help.evernote.com. If you do not have an Evernote account or are a free subscriber, you can submit a request as a guest.
Alternatively, you may email your request to firstname.lastname@example.org. In the subject line of your email, please write “CCPA Rights Request.”
Note that in order to fulfill your request, we may need you to provide certain information to verify your identity, by ensuring your request was made from your primary account email address or using our support portal from an authenticated account. You can also designate an authorized agent to exercise these rights on your behalf. The authorized agent will be asked to verify (i) the user and/or account about which the request relates and (ii) their identity and written authorization to act as your agent. Individuals acting as authorized agents for end users will be required to submit a written authorization from the end user that includes the date of the authorization (within the three months preceding the request), the end user’s name, and the end user’s signature. Agencies acting as authorized agents for end users will be required to submit proof of registration with the California Secretary of State (if making a request under CCPA) and a request using a power of attorney form pursuant to Cal. Prob. Code Sections 4000 to 4465 or another sufficient document that satisfies power of attorney requirements under applicable law. We will not discriminate against you if you choose to exercise your rights under the CCPA.
Below is an explanation of the data access rights Evernote makes available to EEA, UK and Swiss individuals.
WHAT DOES IT MEAN FOR YOU?
Right to access
Right of rectification
Right to data portability
Right to object
Evernote uses two data transfer mechanisms: the Standard Contractual Clauses and the Privacy Shield Frameworks.
Evernote utilizes the Standard Contractual Clauses, which are contract terms developed and approved by the European Commission as ensuring adequate protection for data subjects when transferring personal data from the EEA, the United Kingdom (“UK”), or Switzerland to the United States and other countries. The Standard Contractual Clauses are generally referenced within a Data Processing Agreement entered between Evernote and the applicable parties.
In addition, despite the 2020 invalidation of the EU-US Privacy Shield by the European Court of Justice and the Swiss-US Privacy Shield by the Swiss Federal Data Protection and Information Commissioner, Evernote has elected to maintain its certification of compliance with the EU-US Privacy Shield and the Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal data from EEA member countries, the UK, and Switzerland.
As used in this notice, "personal data" means information that (i) is transferred from the EEA, the UK, or Switzerland to the United States, (ii) is recorded in any form, (iii) is about, or relates to, an identified or identifiable individual, and (iv) can be linked to that individual. This notice outlines our general policy and practices for implementing the Privacy Shield Principles for personal data.
The Evernote Corporation has certified that in respect of all personal data it receives from the EEA, the UK, and Switzerland in reliance on the Privacy Shield, it will adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity & Purpose Limitation, Access, and Recourse, Enforcement and Liability. To access the Privacy Shield List and to find details of our certification, please visit: https://www.privacyshield.gov/list.
If we ever need to use your personal data for a purpose that is materially different to the purposes we collected it for or that you later authorize, we will notify you and provide you with the opportunity to opt-out.
Under the Privacy Shield, Evernote Corporation will remain liable if its third-party service providers process your personal data in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.
Residents of the EEA, the UK, or Switzerland who believe that their personal data has not been processed in compliance with the Privacy Shield Principles may raise their complaint in the following ways:
We have further committed to refer unresolved privacy complaints under the Privacy Shield to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive a timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by us, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information about the scheme. This JAMS service will be provided to complainants free of charge. To file a complaint directly with JAMS, go here: https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim
For residual disputes that cannot be resolved by the methods above, you may be able to invoke a binding arbitration process under certain conditions. To find out more about the Privacy Shield's binding arbitration scheme, please see: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
You may have the right to access personal data that we hold about you and request that we correct, amend, or delete it if it is inaccurate or processed in violation of Privacy Shield. Please contact us, as provided above, to make such a request and we will consider it in accordance with the Privacy Shield's Principles.
The Federal Trade Commission has investigation and enforcement authority over our compliance with the Privacy Shield.
Please note that we may disclose personal data to respond to subpoenas, court orders, legal process, or government requests (including in response to public authorities to meet national security or law enforcement requirements).
Users residing in Brazil are afforded certain additional rights with respect to their personal information under the Brazilian General Data Protection Law (Law No. 13,709/18 or “LGPD”). If you are a Brazilian resident, You have certain rights in connection with your personal data according to LGPD:
Confirm the existence of processing of your personal data that we lawfully make.
Access your personal data, and request a full simplified or full report about the personal data that we are lawfully processing about you.
Request correction of any incomplete, outdated or inaccurate personal data we hold about you, although we may need to verify the accuracy of the new data you provide to us.
Request anonymization, blocking or deletion of unnecessary or excessive data, or data processed in non-compliance with the applicable law.
Revoke your consent at any time, where we rely on your consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
Request deletion of your lawfully processed personal data that was processed based on your consent.
Request information about public and private entities with which Evernote has shared your personal data.
Request data portability or the transfer of your personal data, in certain circumstances, pursuant to applicable laws.
You may also contact us at any time if you have queries, as indicated below, and you also have a right to lodge a complaint with the applicable supervisory authority.
Evernote Business customers looking for a data protection agreement should contact their customer success agent, or email email@example.com for more information.
Both. Depending on the circumstance. We've outlined details about Evernote's role in each of these designations below.
Data processor: Evernote acts as a data processor on behalf of our Evernote Business customers.
If you live in Brazil, your data controller is Evernote do Brasil Serviços de Aplicaçōes Ltda. (“Evernote Brasil”). If you live in the United States and Canada, your data controller is Evernote Corporation (headquartered in California). If you live anywhere else, your data controller is Switzerland-based Evernote GmbH.
We process personal data originating from the European Economic Area (“EEA”), the United Kingdom, Switzerland, and Brazil on one of three grounds, depending on the circumstances: (i) your affirmative consent, in which case you will have the right to withdraw consent at any time; (ii) contractual necessity; or (iii) our legitimate interest in providing the Service.
Evernote uses third party vendors to help provide the Evernote services to our customers. Before onboarding new vendors, Evernote conducts a privacy and security review. Any vendors which handle personal data must sign a data processing agreement with Evernote. To view an updated list of the third party vendors visit https://evernote.com/privacy/vendors
In the event of a conflict, the English language version shall govern.