Region-Specific Information
Effective Date: October 6, 2023
The information on this page supplements the information found in our Privacy Policy and may apply to you if you are a resident of one of the regions below.
California
Your California Privacy Rights
Consumers residing in California are afforded certain additional rights with respect to their personal information under the California Consumer Privacy Act, as amended from time to time, including the California Privacy Rights Act and its implementation regulations (“CCPA”) (California Civil Code Section 1798.100 et seq.).
Evernote collects your information for the purposes described in this Privacy Policy, which include “business purposes” under the CCPA. We provide the following additional disclosures related to the collection, use, and disclosure of personal information under the CCPA:
Categories of Personal Information Collected. In the preceding 12 months, we have collected the categories of personal information listed below.
- Identifiers. Identifiers such as your first name, last name, email address, IP address, unique device identifiers or other online identifier.
- Personal information categories listed in the California Customer Records statute. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as your name or the commercial, professional, or education information described below.
- Commercial information. Commercial information such as your payment method and related information if you purchase a subscription.
- Network activity. Internet or other electronic network activity information, including connection information and information regarding your interaction with the Service such as the name of your mobile operator or ISP, browser type and version, usage data, type and version of operating system, hardware version, device settings, software types, battery and signal strength, screen resolution, device manufacturer and model, language and time zone, mobile phone number and IP address.
- Geolocation data. Geolocation data, including the IP address you use to connect to the Service and — if you choose to share it — your location information from a mobile device.
- Sensory information. Audio, electronic, visual, or similar information, such as photos that you upload to your account or otherwise provide to us, or when you consent to the recording of calls.
- Professional information. Professional or employment-related information (for Evernote Teams users).
- Education information. Education information, if you choose to provide this information such as in marketing surveys or your profile.
- Inferences. Inferences drawn from any of the information above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and/or aptitudes, so that we may contact you with messaging that we think will interest you.
We do not sell or share (as defined under the CCPA) any of the categories of personal information we collect about you, and have not sold or shared such information in the preceding 12 months. We generally do not collect information that is considered sensitive personal information (as defined under the CCPA). In the limited circumstances that we do, such as the collection of your username and password, we do not collect this information for the purpose of inferring characteristics about you. For additional examples of the types of data we may collect, see the section “What information does Evernote collect?” of this Privacy Policy.
Business or Commercial Purpose for Collecting Information. We collect personal information for the business and commercial purposes described in the section “How does Evernote use my information?” of this Privacy Policy.
Categories of Sources of Personal Information. We collect personal information directly from you when you interact with our Services, automatically when you access or use our Services or transact business with us, and from other sources as described in the section “What information does Evernote collect?” of this Privacy Policy.
Categories of Recipients with Whom We Disclose Information. We may disclose your personal information as described in the section “How does Evernote disclose my information?” of this Privacy Policy. In the preceding 12 months, we have disclosed the categories of personal information for a business purpose or at your direction to our parent, affiliates, and service providers.
Your Rights. Below is an explanation of rights for California consumers:
- Right to know. You can request to know the specific pieces of personal information we collect about you.
- Right to correct. You can request that we correct certain inaccurate information.
- Right to delete. You can request that we delete personal information that we collect from you (subject to certain exceptions).
California consumers may make rights requests by following these instructions:
- Submit a ticket through our Help and Learning portal located at https://help.evernote.com. If you do not have an Evernote account or are a free subscriber, you can submit a request as a guest.
- Alternatively, you may email your request to privacy@evernote.com. In the subject line of your email, please write “CCPA Rights Request.”
We will not discriminate against you if you choose to exercise your rights under the CCPA.
Note that in order to fulfill your request, we may need you to provide certain information to verify your identity, by ensuring your request was made from your primary account email address or using our support portal from an authenticated account. You can also designate an authorized agent to exercise these rights on your behalf. The authorized agent will be asked to verify (i) the user and/or account about which the request relates, and (ii) their identity and written authorization to act as your agent. We may ask you to directly confirm to us that you have given permission to the authorized agent to submit the request.
Personal Information Requests. You can find information on the volume of personal data requests Evernote received and processed from all individuals globally in the 12 months from January 1 to December 31, 2022 in the table below:
Type of request | Received | Complied with (in whole or in part) | Denied |
---|---|---|---|
Request to Know | 12 | 12 | 0 |
Request to Delete | 224,564 | 224,564 | 0 |
Request to Opt Out of Sales | Evernote does not sell personal information |
The Evernote Service is accessible to consumers with disabilities. Consumers with disabilities may also contact us by emailing privacy@evernote.com to request an alternative format of this Privacy Policy.
Europe
Users residing in the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland are afforded certain additional rights with respect to their personal information under applicable data protection laws, including Regulation (EU) 2016/679 – General Data Protection Regulation (“GDPR”).
Your Rights. Subject to applicable data protection laws, the following rights may be available:
- Right to access. You can request Evernote to provide you with information on how we collect, use, and store your personal information, including providing you with a copy of your personal information that we store in Evernote.
- Right of rectification. You can request that we correct certain inaccurate personal information.
- Right of erasure. You can request that we delete your personal information.
- Right to data portability. You can export your information from Evernote to a competing service. See our Third Law of Data Protection for more information.
- Right to object. You can object to the processing of your personal information in certain cases, as well as request that Evernote not use your personal information for direct marketing purposes. Direct marketing includes emails which help us keep you informed about the latest improvements to our Service. See our Help and Learning page on opting-out for more information.
- Right to restrict. You can restrict the processing of your personal information in certain cases.
For information on the legal bases for processing, see “A Note about our Legal Bases for Processing” below. You may also contact us at any time if you have queries, as indicated below, and you also have a right to lodge a complaint with the applicable supervisory authority.
Data transfers. Evernote uses Standard Contractual Clauses or other appropriate mechanisms to safeguard the transfer of personal information. Standard Contractual Clauses are contract terms developed and approved by the European Commission as ensuring adequate protection for data subjects when transferring personal information from the EEA, the UK, or Switzerland to the United States and other countries. The Standard Contractual Clauses are generally referenced within an agreement entered between Evernote and the applicable parties.
Data Privacy Frameworks. Evernote Corporation has self-certified its compliance with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce (collectively, the “Frameworks”).
Evernote Corporation has certified that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the EEA in reliance on the EU-U.S. DPF and from the UK (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Evernote Corporation has certified that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. Under the Frameworks, Evernote Corporation will remain liable if its third-party service providers process your personal data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage. To learn more about the Data Privacy Framework (“DPF)” program, and to view our certification, please visit https://www.dataprivacyframework.gov.
Residents of the EEA, the UK (and Gibraltar), or Switzerland who believe that their personal data has not been processed in compliance with the Principles may contact Evernote Corporation directly using the details in the "How can I contact Evernote?" section in our Privacy Policy. If you do not receive a timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by us, you may contact JAMS, an alternative dispute resolution provider based in the U.S., by visiting https://www.jamsadr.com/eu-us-data-privacy-framework. This JAMS service will be provided to complainants free of charge.
For residual disputes that cannot be resolved by the methods above, you may be able to invoke a binding arbitration process under certain conditions. To find out more about the binding arbitration scheme, please visit the DPF website.
The Federal Trade Commission has investigation and enforcement authority over our compliance with the Frameworks.
Brazil
Users residing in Brazil are afforded certain additional rights with respect to their personal information under the Brazilian General Data Protection Law (Law No. 13,709/18 or “LGPD”).
Your Rights. If you are a resident of Brazil, you have certain rights in connection with your personal information according to the LGPD:
- Right to access. You can ask that we confirm the existence of processing of your personal information and request access to such information, including information about public and private entities with which Evernote has disclosed your personal information. You can also request to review decisions based solely on automated processing of personal information that affect your interests, including decisions aimed at defining your personal, professional, consumer and credit profile, or personality aspects.
- Right to correct. You can request that we correct certain inaccurate, outdated, and inexact personal information.
- Right to delete. You can request that we delete your personal information where the personal information is processed based on your consent, subject to certain exceptions.
- Right to anonymization, blocking, or deletion. Where your personal information is unnecessary, excessive, or is processed in non-compliance with the LGPD, you can request the anonymization, blocking, or deletion of such personal information.
- Right to data portability. You can export your information from Evernote to a competing service. See our Third Law of Data Protection for more information.
- Right to object. You can object to the processing of personal information in certain cases.
- Right to withdraw consent. Where we rely on your consent to process personal information, you have the right to withdraw consent at any time and all processing activities carried out before your withdrawal of consent will remain valid.
For information on the legal bases for processing, see “A Note about our Legal Bases for Processing” below. You may also contact us at any time if you have queries, as indicated below, and you also have a right to lodge a complaint with the applicable supervisory authority (the Brazilian Data Protection Authority).
Additional Information
How do I get a Data Processing Addendum?
Evernote Teams customers looking for a data protection agreement should contact their customer success agent, or email privacy@evernote.com for more information.
Does Evernote view itself as a data controller business or data processor?
Both. Depending on the circumstance. We've outlined details about Evernote's role in each of these designations below:
- Data controller: For our individual users, Evernote will act as a data controller. When Evernote is the data controller, we handle personal information as described in our Privacy Policy.
- Data processor / service provider: Evernote acts as a data processor or service provider on behalf of our Evernote Teams customers.
Which Evernote company is my data controller?
If you live in Brazil, your data controller is Evernote do Brasil Serviços de Aplicaçōes Ltda. (“Evernote Brasil”). If you live in the United States (“US”) and Canada, your data controller is US-based Evernote Corporation. If you live anywhere else, your data controller is Switzerland-based Evernote GmbH. To contact your data controller, please see the "How can I contact Evernote?" section in our Privacy Policy.
A Note about our Legal Bases for Processing
We process personal information subject to applicable data protection laws in the EEA, the UK, Switzerland, and Brazil on the following grounds, depending on the circumstances: (i) your consent, which you can withdraw at any time; (ii) performance of our contract with you; (iii) our legitimate interest (which is not overridden by your right to privacy) such as protecting your account or improving our products and services; or (iv) compliance with a legal obligation.
What third parties does Evernote work with to process customer data?
Evernote uses third-party vendors to help provide the Evernote Service to you. Before onboarding new vendors, Evernote conducts a privacy and security review. Any vendors which handle personal information must sign a data processing agreement with Evernote. To view an updated list of the third-party vendors, visit https://evernote.com/privacy/vendors.
If this Policy is translated into any language other than English, in the event of a conflict, the English language version shall govern to the fullest extent permitted by applicable laws.