Region-Specific Information

Your California Privacy Rights

Consumers residing in California are afforded certain additional rights with respect to their personal information under the California Consumer Privacy Act or (“CCPA”) (California Civil Code Section 1798.100 et seq.). If you are a California resident, these terms and conditions apply to you. 

We do not and will not sell your personal information. Evernote uses and collects your information for the purposes described in this Privacy Policy, which include “business purposes” under the CCPA. 

California Consumer Privacy Act

We provide the following additional disclosures related to the collection, use, and disclosure of personal information under the CCPA:

• Categories of Personal Information Collected. In the preceding 12 months, we have collected the categories of personal information listed below. 

• Identifiers such as your first name, last name, email address, IP address, unique device identifiers or other online identifier;
• Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as your name or the commercial, professional or education information described below;
• Commercial information such as your payment method and related information if you purchase a subscription;
• Internet or other electronic network activity information, including connection information such as the name of your mobile operator or ISP, browser type and version, usage data, type and version of operating system, hardware version, device settings, software types, battery and signal strength, screen resolution, device manufacturer and model, language and time zone, mobile phone number and IP address;
• Location information, including the IP address you use to connect to the Service and — if you choose to share it — your location information from a mobile device;
• Interaction with our software or apps such as usage data, type and version of operating system, hardware version, device settings, software types, battery and signal strength, screen resolution, device manufacturer and model, language, and Internet browser type and version; 
• Audio, electronic, visual, or similar information, such as photos that you upload to your account or otherwise provide to us, or when you consent to the recording of calls;
• Professional or employment-related information (for Evernote Teams users);
• Education information, if you choose to provide this information in marketing surveys;
• Other information that relates to or is capable of being associated with you, including categories we may associate with you, based on the information we or our partners collect, so that we may contact you with messaging that we think will interest you.

For additional examples of the types of data we may collect, see the section “What information does Evernote collect?” of this Privacy Policy. 

• Business or Commercial Purpose for Collecting Information. We collect personal information for the business and commercial purposes described in the section “How does Evernote use my information?” of this Privacy Policy. 

• Categories of Sources of Personal Information. We collect personal information directly from you when you interact with our Services, automatically when you access or use our Services or transact business with us, and from third-party sources as described in the section “What information does Evernote collect?” of this Privacy Policy. 

• Categories of Third Parties with Whom We Share Information. We may share your personal information with third parties as described in the section “How does Evernote share or disclose my information?” of this Privacy Policy.

• Categories of Personal Information and Categories of Third Parties to Whom Disclosed. In the preceding 12 months, we have disclosed the following categories of personal information for business or commercial purposes to the categories of third parties as described in the section “How does Evernote share or disclose my information?” of this Privacy Policy: 

• Sale of Personal Information. Evernote does not, and will not, sell the personal information of our users. Evernote has not sold the personal information of our users for a business or commercial purposes in the preceding 12 months.

Your Consumer Rights 

California consumers have the right to request access to the specific pieces of personal information we have collected about them in the last 12 months. You may also request additional details about our information practices, including the categories of personal information we have collected about you, the categories of sources of such collection, the business or commercial purpose for collecting  personal information, the categories of third parties with whom we share your personal information, and the categories of personal information we have disclosed about you in the preceding 12 months. If you are a California consumer, you also have the right to (i) request deletion of your personal information (subject to certain exceptions), (ii) opt out of sales of personal information, and (iii) receive equal service and price and not be discriminated against even if you exercise any of your other CCPA rights.

California consumers may make requests by following these instructions: 

• Submit a ticket through our Help and Learning portal located at https://help.evernote.com. If you do not have an Evernote account or are a free subscriber, you can submit a request as a guest.

• Alternatively, you may email your request to privacy@evernote.com. In the subject line of your email, please write “CCPA Rights Request.” 

Note that in order to fulfill your request, we may need you to provide certain information to verify your identity, by  ensuring your request was made from your primary account email address or using our support portal from an authenticated account. You can also designate an authorized agent to exercise these rights on your behalf. The authorized agent will be asked to verify (i) the user and/or account about which the request relates and (ii) their identity and written authorization to act as your agent. Individuals acting as authorized agents for end users will be required to submit a written authorization from the end user that includes the date of the authorization (within the three months preceding the request), the end user’s name, and the end user’s signature. Agencies acting as authorized agents for end users will be required to submit proof of registration with the California Secretary of State (if making a request under CCPA) and a request using a power of attorney form pursuant to Cal. Prob. Code Sections 4000 to 4465 or another sufficient document that satisfies power of attorney requirements under applicable law. We will not discriminate against you if you choose to exercise your rights under the CCPA.

Personal Data Requests 

You can find information on the volume of personal data requests Evernote received and processed from all individuals globally in the 12 months from January 1 to December 31, 2021 in the table below:

The Evernote Service is accessible to consumers with disabilities. Consumers with disabilities may also contact us by emailing privacy@evernote.com to request an alternative format of this Privacy Policy.

European User Data Access Rights

Below is an explanation of the data access rights Evernote makes available to EEA, UK and Swiss individuals. 

How does Evernote comply with data transfer rules?

Evernote uses two data transfer mechanisms: the Standard Contractual Clauses and the Privacy Shield Frameworks.  

Standard Contractual Clauses

Evernote utilizes the Standard Contractual Clauses, which are contract terms developed and approved by the European Commission as ensuring adequate protection for data subjects when transferring personal data from the EEA, the United Kingdom (“UK”), or Switzerland to the United States and other countries. The Standard Contractual Clauses are generally referenced within a Data Processing Agreement entered between Evernote and the applicable parties.

Privacy Shield Frameworks     

In addition, despite the 2020 invalidation of the EU-US Privacy Shield by the European Court of Justice and the Swiss-US Privacy Shield by the Swiss Federal Data Protection and Information Commissioner, Evernote has elected to maintain its certification of compliance with the EU-US Privacy Shield and the Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal data from EEA member countries, the UK, and Switzerland.

As used in this notice, "personal data" means information that (i) is transferred from the EEA, the UK, or Switzerland to the United States, (ii) is recorded in any form, (iii) is about, or relates to, an identified or identifiable individual, and (iv) can be linked to that individual. This notice outlines our general policy and practices for implementing the Privacy Shield Principles for personal data.

The Evernote Corporation has certified that in respect of all personal data it receives from the EEA, the UK, and Switzerland in reliance on the Privacy Shield, it will adhere to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfers, Security, Data Integrity & Purpose Limitation, Access, and Recourse, Enforcement and Liability. To access the Privacy Shield List and to find details of our certification, please visit: https://www.privacyshield.gov/list.

If we ever need to use your personal data for a purpose that is materially different to the purposes we collected it for or that you later authorize, we will notify you and provide you with the opportunity to opt-out.

Under the Privacy Shield, Evernote Corporation will remain liable if its third-party service providers process your personal data in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Residents of the EEA, the UK, or Switzerland who believe that their personal data has not been processed in compliance with the Privacy Shield Principles may raise their complaint in the following ways:

1. You can contact Evernote Corporation directly using the details in the "How can I contact Evernote?" section in our Privacy Policy. We will respond to your complaint within 45 days of receipt.

2. We have further committed to refer unresolved privacy complaints under the Privacy Shield to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive a timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by us, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information about the scheme. This JAMS service will be provided to complainants free of charge. To file a complaint directly with JAMS, go here: https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim

3. For residual disputes that cannot be resolved by the methods above, you may be able to invoke a binding arbitration process under certain conditions. To find out more about the Privacy Shield's binding arbitration scheme, please see: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

You may have the right to access personal data that we hold about you and request that we correct, amend, or delete it if it is inaccurate or processed in violation of Privacy Shield. Please contact us, as provided above, to make such a request and we will consider it in accordance with the Privacy Shield's Principles.

The Federal Trade Commission has investigation and enforcement authority over our compliance with the Privacy Shield.

Please note that we may disclose personal data to respond to subpoenas, court orders, legal process, or government requests (including in response to public authorities to meet national security or law enforcement requirements).

Your Brazilian Privacy Rights  

Users residing in Brazil are afforded certain additional rights with respect to their personal information under the Brazilian General Data Protection Law (Law No. 13,709/18 or “LGPD”). If you are a Brazilian resident, You have certain rights in connection with your personal data according to LGPD:

• Confirm the existence of processing of your personal data that we lawfully make. 

• Access your personal data, and request a full simplified or full report about the personal data that we are lawfully processing about you.

• Request correction of any incomplete, outdated or inaccurate personal data we hold about you, although we may need to verify the accuracy of the new data you provide to us.

• Request anonymization, blocking or deletion of unnecessary or excessive data, or data processed in non-compliance with the applicable law.  

• Revoke your consent at any time, where we rely on your consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. 

• Request deletion of your lawfully processed personal data that was processed based on your consent.

• Request information about public and private entities with which Evernote has shared your personal data. 

• Request data portability or the transfer of your personal data, in certain circumstances, pursuant to applicable laws. 

You may also contact us at any time if you have queries, as indicated below, and you also have a right to lodge a complaint with the applicable supervisory authority.

How do I get a Data Processing Agreement?

Evernote Teams customers looking for a data protection agreement should contact their customer success agent, or email privacy@evernote.com for more information.

Does Evernote view itself as a data controller or data processor?

Both. Depending on the circumstance. We've outlined details about Evernote's role in each of these designations below.

Data controller: For our individual users, Evernote will act as a data controller. When Evernote is the data controller, we handle personal data as described in our Privacy Policy. We've updated our terms to align with the updated GDPR requirements.

Data processor: Evernote acts as a data processor on behalf of our Evernote Teams customers. 

Which Evernote company is my data controller?

If you live in Brazil, your data controller is Evernote do Brasil Serviços de Aplicaçōes Ltda. (“Evernote Brasil”). If you live in the United States and Canada, your data controller is Evernote Corporation (headquartered in California). If you live anywhere else, your data controller is Switzerland-based Evernote GmbH.

A Note about our Data Processing Grounds

We process personal data originating from the European Economic Area (“EEA”), the United Kingdom, Switzerland, and Brazil on one of three grounds, depending on the circumstances: (i) your affirmative consent, in which case you will have the right to withdraw consent at any time; (ii) contractual necessity; or (iii) our legitimate interest in providing the Service.

What third parties does Evernote work with to process customer data?

Evernote uses third party vendors to help provide the Evernote services to our customers. Before onboarding new vendors, Evernote conducts a privacy and security review. Any vendors which handle personal data must sign a data processing agreement with Evernote. To view an updated list of the third party vendors visit https://evernote.com/privacy/vendors