Published on: 23 May 2018
Last updated on: 8 July 2024
This is the Privacy Notice for the F5 and NGINX brands. It explains the way that F5, Inc. and its affiliates (collectively "F5") handle information about you that is collected in the contexts described below.
Under the EU General Data Protection Regulation (“GDPR”) and other similar laws, F5 is considered a “controller” of that data because F5 determines how that data will be handled. F5, Inc. is typically the primary controller within the F5 group of companies.
This Privacy Notice also applies to personal data F5 receives in the context of providing its services (the “Services”). For many Services, F5 acts only as a “processor” (not a controller) with respect to the personal data it collects through the Service. This means that F5 handles the personal data solely pursuant to the relevant customer’s instructions, unless legally required to do otherwise. The Service-specific Privacy Statements below explain F5’s role as a controller or processor with respect to particular Services and provide additional privacy information.
1. What types of Personal Data does F5 collect?
We collect, store, and use the following categories of personal data:
We obtain personal data directly from you or your employer; from third-party sources such as our Unity Partners (which include resellers and distributors); third-party marketplaces where our products are offered (such as AWS and Google Cloud Platform); data brokers (such as Dun & Bradstreet); marketing companies; referrals from customers, and users; and from publicly available sources such as company websites and LinkedIn. Through some Services, we obtain personal data from our customers, or from individuals who interact with our customers or their online properties.
In some cases, F5 collects personal data through the technology described in Section 7 below.
2. How does F5 use and disclose Personal Data with others?
F5 uses and discloses personal data for the following purposes:
For those purposes, we may disclose personal data to, for example:
These uses and disclosures are also subject to our contractual obligations.
3. What are the legal reasons F5 can do this?
The laws in some jurisdictions require data controllers to tell you about the legal grounds that allow them to use or disclose your personal data. Where those laws apply, our legal grounds are:
4. What Personal Data rights and choices (including direct marketing opt-out) are available?
For personal data that we collect through our Services, the Privacy Statement for each Service has instructions for how you can exercise your legal rights with respect to such data. Where we process such data solely on behalf of a customer, those instructions typically will indicate that you should contact the customer to exercise those rights. In those cases, if you contact F5 instead, we normally will refer your request to the relevant customer (if we know who that is) and will cooperate with that customer’s handling of the request, subject to any special contractual arrangement with that customer.
For other personal data (including certain personal data we collect through some of our Services), we offer the options below for exercising your rights and choices about how we use your personal data. Many of these are subject to important limits or exceptions under applicable laws and, where applicable, the EU-U.S., Swiss-U.S. and UK-US Data Privacy Frameworks (together “Data Privacy Framework”).
You may contact us with any concerns or complaints regarding our privacy practices, and you also may submit a complaint to the relevant governmental authority. (Individuals whose personal data we receive under our Data Privacy Framework certification also may file a Data Privacy Framework related complaint, as described in the Data Privacy Framework section below.)
For your protection, we will only implement requests with respect to personal data after we have verified your identity to our satisfaction, taking into consideration the nature of your request.
5. Does the personal data go to other countries?
We are a global company with headquarters in the United States, and the F5 affiliates and third parties to whom we disclose the personal data as described in this Privacy Notice are located in the United States and elsewhere in the world, including countries where data protection laws may not provide as much protection as your country. Your personal information may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of these or other countries, pursuant to the laws of such countries. F5 complies with legal requirements for protecting the movement of data across borders, including through the use of European Commission-approved Standard Contractual Clauses.
Please note that our customers may transfer personal data to F5 on the basis of legal mechanisms approved by the European Commission and other relevant authorities for transferring data across borders, such as Standard Contractual Clauses. If you wish to exercise a right to see copies of the mechanisms that F5 uses to transfer data to third parties, please contact us.
Finally, certain F5 services allow our customers and users to transfer data to third parties. Those customers and users are solely responsible for those transfers.
6. F5, Inc.’s Data Privacy Framework Certification
Please read below in order to find out relevant information about F5, Inc.'s Data Privacy Framework certification in relation to the international transfers of personal data (that is covered by applicable EEA, Swiss and UK data protection laws) to F5, Inc. in the USA.
Please note that this Data Privacy Framework certification is limited to personal data that meets all of the following conditions: (i) F5, Inc. receives the data in the U.S. from a “transfer” from the United Kingdom, European Economic Area or Switzerland (as such term is defined under the laws of such jurisdictions), (ii) F5, Inc. receives the personal data via a Service, and (iii) the Service-specific Privacy Statement indicates that F5’s Data Privacy Framework commitment applies to that Service.
(i) Participation in the Data Privacy Framework
F5, Inc., complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. F5, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. F5, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
(ii) Types of personal data collected
Please refer to section 1 above to find out about the types of personal data collected by F5, Inc. under the Data Privacy Framework.
(iii) Commitment to be subject to the Data Privacy Framework Principles
F5, Inc. is committed to being subject to the Data Privacy Framework Principles for all personal data received from the European Union, the United Kingdom (and Gibraltar), and Switzerland in reliance on the relevant part(s) of the Data Privacy Framework program.
(iv) Purposes for collection and use of personal data
Please refer to section 2 above to find out about the purposes that the F5, Inc. collects and uses personal data under the Data Privacy Framework.
(v) How to contact us about any inquiries or complaints regarding Data Privacy Framework compliance
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, F5, Inc. commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact F5, Inc. at:
F5, Inc.
Attn: Privacy Office
801 5th Ave
Seattle, Washington 98104
United States
Main European office:
NGINX
Attn: Privacy Office
3rd Floor, 89/90 South Mall
Cork, Ireland
T12 RPPO
UK Office:
F5 Networks Limited
Attn: Privacy Office
Chertsey Gate West
43-47 London Street, Chertsey
Surrey KT16 8AP
United Kingdom
Data Protection Officer:
Dr. Felix Wittern
Fieldfisher Tech Rechtsanwaltsgesellschaft mbH
Amerigo Vespucci Platz 1
20457 Hamburg
Germany
f5.dpo@fieldfisher.com
(vi) Independent dispute resolution
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, F5, Inc. commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/file-a-dpf-claim for more information or to file a complaint. The services of JAMS are provided at no cost to you.
(vii) The type or identity of third parties to which we disclose personal information under the Data Privacy Framework, and the purposes for which we do so
Please refer to section 2 above to find out about the type or identity of third parties to which we disclose personal information under the Data Privacy Framework, and the purposes for which we do so.
(viii) Your right to access your personal data
You also have the right to access any personal data that relates to you and which is processed under the Data Privacy Framework. Further information about this right can be found in section 4 above.
(ix) Your choices regarding use of your personal data
Under the Data Privacy Framework:
For personal data processing that is controlled by F5, Inc., these choices can be exercised through the methods outlined in section 4 above, or through contacting F5, Inc. through the methods noted in section 12 below.
(x) Subjection to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC)
The Federal Trade Commission has jurisdiction over F5, Inc.’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
(xi) Possible use of binding arbitration
You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Data Privacy Framework compliance not resolved by any of the other Data Privacy Framework mechanisms. For additional information about this, please see: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2
(xii) Requirement to disclose personal data in response to lawful requests by public authorities,
Please be aware that F5, Inc. may be required to disclose personal data that relates to you (and which is protected under the Data Privacy Framework) in response to lawful requests by public authorities including to meet national security or law enforcement requirements.
(xiii) F5, Inc.'s liability in cases of onward transfers to third parties.
F5, Inc.'s may transfer personal data for the purposes described in section 2 above to a third party acting as a data controller or as an agent. If we intend to disclose personal data to a third party acting as a data controller or as an agent we will comply with, and protect, personal data as provided in the Accountability for Onward Transfer Principle of the Data Privacy Framework.
F5, Inc. remain liable for the processing of personal data received under the Data Privacy Framework and subsequently transferred to a third party acting as an agent if the agent processes such personal data in a manner inconsistent with the Data Protection Framework principles, unless we prove that we are not responsible for the event giving rise to the damage.
7. Does F5 use cookies and similar technology?
In our websites, apps, and emails, we and third parties may collect certain information by automated means such as cookies, web beacons, JavaScript, mobile-device functionality and other computer code. This information may include unique browser identifiers, IP address, browser and operating system information, device identifiers (such as the Apple IDFA or Android Advertising ID), geolocation, other device information, Internet connection information, as well as details about your interactions with our apps, websites, and emails (for example, the URL of the third-party website from which you came, the pages on our website that you visit, and the links you click on in our websites).
We and third parties may use these automated means to read or write information on your devices, such as in various types of cookies and other browser-based or plugin-based local storage (such as HTML5 storage or Flash-based storage), or to collect pieces of information that together may uniquely identify your device.
Cookies and local storage are files that contain data, such as unique identifiers, that we or a third party may transfer to or read from your devices for the purposes described in this Privacy Notice, such as to recognize the devices, to improve your use of our website and services, for cybersecurity, to prevent fraud, to provide services, and for record-keeping, analytics, and marketing, depending on the context of collection.
These technologies help us:
Also, in some cases, we assist with the collection of information by advertising services provided by third parties. The ad services may track your online activities over time by collecting information through automated means such as cookies, and they may use this information to show you ads that are tailored to your individual interests or characteristics and/or based on your prior visits to certain sites or apps, or other information we or they know, infer, or have collected from the users like you.
For example, we and these services may use different types of cookies, other automated technology, and data to:
Below, you can find options for adjusting your preferences for our use of various technologies on our websites in a particular browser. For most of the cookie preference options described below, your opt-out will be stored a cookie. That means that you can undo your opt-out by manually clearing the cookies in your browser or by using a browser that automatically clears cookies. Depending on where you are and some other factors, this may reactivate the sorts of cookies that your previous preference had stopped. If you do that and then decide to opt-out again for that browser, you will need to perform the relevant opt-out steps again in that browser.
By clicking on the cookie hyperlink in the footer of participating F5 websites, you can launch a consent tool to adjust your preferences about how certain cookies and certain similar technologies are used in F5 websites that hyperlink to that same preferences tool from their footer. You should repeat this process with each browser you use to visit those websites. This is the best way to control cookies on the sites that offer this option.
Analytics opt-outs: You can opt out of Google Analytics and customize Google Display Network ads by using the Google Ads Settings page from each browser. Google also allows you to install a Google Analytics Opt-out Browser Add-on for most browsers.
To learn more about interest-based advertising generally, or to use a different method to opt out of targeted, interest-based ads by some of our current ad service partners, visit aboutads.info/choices or youronlinechoices.eu from each browser you use.
In addition, you may be able to set your web browser to refuse certain types of cookies, or to alert you when certain types of cookies are being sent. Some browsers offer similar settings for HTML5 local storage, and Flash storage can be managed as described here. However, if you block or otherwise reject our cookies, local storage, JavaScript or other technologies, certain websites (including some of our own websites) may not function properly.
If you replace, change, or upgrade your browser, or delete your cookies, you may need to use these opt-out tools again.
Please visit your mobile device manufacturer's website (or the website for its operating system) for instructions on any additional privacy controls in your mobile operating system, such as privacy settings for device identifiers and geolocation. Please note, however, that we do not respond to browser-based privacy signals (such as do-not-track) at this time.
8. How long does F5 store Personal Data?
We will retain personal data as long as necessary to fulfill the purposes outlined in this Privacy Notice unless the law requires us to keep it for a longer period of time. To provide security and business continuity for the activities described in this Privacy Notice, we make backups of certain data, which we may retain for longer than the original data.
9. What about security?
To help protect personal data, we have put in place physical, technical, and administrative safeguards. However, we cannot assure you that data that we collect will never be used or disclosed in a manner that is inconsistent with this Privacy Notice.
10. What about other kinds of data?
If the law and our contractual obligations allow, we may aggregate or de-identify your personal data so that the information cannot be linked to you and is no longer personal data. Our use and disclosure of non-personal data is not subject to this Privacy Notice, and we may use or disclose it for any reason permitted by law.
11. What happens when this Privacy Notice changes?
F5 may change this Privacy Notice at any time, including to reflect changes in the law or our data practices. Any updated Privacy Notice will be accessible from the footer of f5.com or another convenient location.
12. How to contact us
To request to exercise your data protection rights under the GDPR or other laws (besides the CCPA), please visit the General DSR Portal.
For CCPA Requests only for California Residents, please follow the instructions below for California-specific rights.
For security and legal reasons, F5 reserves the right to deny requests that require us to access third-party websites or services.
If you have any other request, question, or complaint regarding your personal data or this Privacy Notice, please complete the form below or:
F5, Inc.
Attn: Privacy Office
801 5th Ave
Seattle, Washington 98104
United States
Main European office:
NGINX
Attn: Privacy Office
3rd Floor, 89/90 South Mall
Cork, Ireland
T12 RPPO
UK Office:
F5 Networks Limited
Attn: Privacy Office
Chertsey Gate West
43-47 London Street, Chertsey
Surrey KT16 8AP
United Kingdom
Data Protection Officer:
Dr. Felix Wittern
Fieldfisher Tech Rechtsanwaltsgesellschaft mbH
Amerigo Vespucci Platz 1
20457 Hamburg
Germany
f5.dpo@fieldfisher.com
13. Special details for California residents
This Section 13 applies only to “personal information” about California residents, as that term is defined in the California Consumer Privacy Act (“CCPA”), and it supplements the information in the rest of our F5 Privacy Notice above. Data about individuals who are not residents of California is handled differently and is not subject to the same rights described in this Section. This Section does not apply to data that F5 handles in its capacity as a processor or “service provider” under the CCPA, even when such data is about a resident of California, or to other data or activities that are not subject to the privacy policy provisions of the CCPA.
Collection, Retention, and Use of California Personal Information
We collect (and during the 12 months leading up to the effective date of this Privacy Notice we did collect) the categories of personal information described below. We intend to retain this information for as long as we feel it is necessary for the purposes described further below, or for any longer period required by law. Because we may collect and use the same category of personal information for different purposes and in different contexts, there is not typically a fixed retention period that always will apply to a particular category of personal information. Examples of how long we normally intend to retain personal information in certain situations are set forth below.
Category of personal information |
Examples of how long we normally plan to keep this information |
identifiers (such as name, address, email address and other contact information) |
We may retain certain identifiers associated with points of contact within existing customers for the duration of the customer’s contract with F5, and for 2 years after that for related administration and sales purposes. We may retain identifiers associated with non-customer persons collected in the context of sales until 1 year after they unsubscribe from emails, or 1 year after the person’s last interaction with F5 (whichever is greater) for analytics purposes. |
commercial information (such as information about an individual’s interests and interactions with F5, our partners, or our customers, including transaction data); |
We may retain certain information on a person’s interest in our products for up to 1 year after the person’s last interaction with F5, or 2 years after the end of a customer’s contract with F5 for sales and marketing purposes. |
financial data (such as payment information) |
We may retain financial data for 7 years in support of financial statements/filings and key financial or business process controls. |
health information |
If we collect health information from a certification candidate in a request for an accommodation, we dispose of it shortly after making an accommodation decision. For more detail about retention of health information and other categories of data in the context of our F5 Certified! Professional Certification Program, please see that program’s Privacy Statement. |
audio and visual information (such as CCTV images or recordings of calls or meetings) |
If a customer contacts us for customer support on certain recorded lines, we often retain recordings of those conversations for one year. |
biometric information (such as palm vein prints collected from certification candidates for identity verification and test security) |
If an F5 Certified! testing partner collects fingerprints or palm vein scans for test security, the standard retention period is three years. However, during active investigations or in connection with legal matters as permitted by law, this biometric data may be retained for six years or longer, except for candidates in Illinois, for whom absent a valid warrant or subpoena issued by a court of competent jurisdiction, or a legal requirement that takes precedence over the Biometric Information Privacy Act (BIPA), this data is purged after three years. |
internet or other network or device activity (such as IP addresses, device identifiers, cookie data, device attributes, device usage information, browsing information, metadata, and other information described in Section 7 of our Privacy Notice or Service-specific Privacy Statements) |
We retain the California IP address associated with account logins on our own websites for several years for account authentication, fraud detection, and other cybersecurity purposes. |
account login credentials |
We retain account login credentials for the duration of the account and may further retain them for fraud prevention and cybersecurity purposes. |
professional or employment related data (such as title) |
We may retain various forms of professional related data received in the sales context for 1 year after the person’s (or their organization’s) last interaction with F5, or 2 years after the end of a customer’s contract with F5 for sales and marketing purposes. |
inferences drawn from any of the above |
We often retain inferences for the same period of time for which we retain the underlying data. |
F5 uses personal information for the following purposes:
“Sale,” “Sharing,” and Related Opt-out
As described further below, some of our disclosures of personal information qualify under the CCPA as what it defines as a “sale” or “sharing” of personal information. During the 12 months leading up to the effective date of this Privacy Notice, we “sold” and “shared” (as those terms are defined under the CCPA), what the CCPA calls “identifiers” (like IP addresses), “internet or other electronic network activity information” (like information regarding an individual’s browsing interactions on a website), and “commercial information” (like the fact that a browser visited a page directed to people who are considering purchasing from us) to third parties that assist us, such as marketing providers and analytics providers. This practice continues today. To our knowledge, we do not “sell” or “share” (as those terms are defined under the CCPA) the personal information of individuals under 16 years of age.
You can exercise your right to opt out of those disclosures by following the instructions on our “Do Not Sell or Share My Personal Information” form. (You also can exercise this right by leaving a voicemail with such request at +1 (844) 311-6885 and following the instructions we send you, but this option is slower.)
Your browser may also offer a way to activate the Global Privacy Control signal (“GPC”). Our websites each treat qualifying browsers for which the user has activated the GPC signal as having opted out of what CCPA calls a “sale” of any California personal information that is collected on that site from that browser using cookies and similar technology. You can override that treatment for a GPC-enabled browser by using the cookie controls available from the website’s footer to opt into particular categories of cookies from that browser. In that case, “sales” via cookies and similar technology in those categories may resume on that browser.
Opting out of “sales” and “sharing” limits only some types of disclosures of personal information, and there are exceptions to all of the rights described in this section.
Other Disclosures of Personal Information
The following chart indicates the categories of personal information that we collected and the categories of third parties to whom we disclosed this data during the 12 months leading up to the effective date of this Privacy Notice.
Category of personal information |
Categories of entities to whom we disclosed it |
identifiers (such as name, address, email address and other contact information) |
|
commercial information (such as information about an individual’s interests and interactions with F5, our partners, or our customers, including transaction data); |
Same as first row in this chart. |
financial data (such as payment information) |
Same as first row in this chart. |
health information, such as that collected from some certification candidates who request an accommodation |
Affiliates, testing providers, providers of technical services (e.g., providers of data storage, data backup), other subcontractors, and governmental entities. |
audio and visual information (such as CCTV images or recordings of calls or meetings) |
Same as first row in this chart. |
biometric information (such as photographs and palm vein prints collected from certification candidates for identity verification and test security) |
Affiliates, testing providers, providers of technical services (e.g., providers of data storage, data backup), other subcontractors, and governmental entities. |
internet or other network or device activity (such as IP addresses, device identifiers, cookie data, device attributes, device usage information, browsing information, metadata, and other information described in Section 7 of our Privacy Notice or Service-specific Privacy Statements) |
Same as first row in this chart. |
geolocation information |
Same as first row in this chart. |
account login credentials |
Affiliates, providers of technical services (e.g., providers of data storage, data backup), other subcontractors. |
professional or employment related data (such as title) |
Same as first row in this chart. |
other information that identifies or can be reasonably associated with an individual |
Same as first row in this chart. |
inferences drawn from any of the above |
Same as first row in this chart. |
We do not use or disclose “sensitive personal information” covered by this Notice and as defined in the CCPA in a manner that requires us to offer a special right to limit our use of this data under the CCPA.
CCPA Right to Access, Correct, or Delete Personal Information
If you are a California resident, California law also may permit you to request that we:
· Correct certain personal information we have about you; and
Please note that certain information may be exempt from such requests under California law. For example, we need certain information to provide our services to you, so we may reject a deletion request for that information while providing services to you.
To request to exercise any of these rights and receive the fastest response, please use our CCPA DSR Portal or leave a voicemail with such request at +1 (844) 311-6885. For security and legal reasons, F5 will not accept requests that require us to access third-party websites or services. We reserve the right to take steps verify your identity to our satisfaction before responding to your request, which may include, depending the type of request you are making, the sensitivity of any data you are requesting, and the nature of your relationship with us: verifying your name, asking you to click on a link that we send to your email address, requesting that you login to an account you maintain with us, or requesting that you provide us with information about our relationship that only you are likely to have.
Requests Made by Agents
If you are an agent making a request on behalf of a consumer, we reserve the right to take steps to verify that you are authorized to make that request, which may include requiring you to provide us with written proof such as a notarized authentication letter or a power of attorney. We also may require the consumer to verify their identity directly with us. Because opt-out requests for “sales” and “sharing” made through cookies and related technology must be performed from each browser that is used to access our Services, it is easiest for the consumer to perform such opt-outs themselves. However, if a consumer wishes for an agent to perform browser-based requests on their behalf, the consumer may arrange for the agent to use the consumer’s browser to make such requests. We are not responsible for the security risks of this or any other arrangements that a consumer may have with an agent. For clarity, this is not permission for any user to disclose their login credentials to an agent or any third party. Such disclosure is prohibited and is not required for an agent to make requests under this Privacy Notice.
Nondiscrimination
You also have a right not to receive “discriminatory treatment” (within the meaning of the CCPA) for the exercise of the privacy rights conferred by the CCPA.