Buoyant Privacy Policy

Last Updated and Effective Date: June 4th, 2025

Buoyant, Inc., (“Buoyant”, “we”, “us”, or “our”) is committed to respecting the privacy and confidentiality of Personal Information (defined below). Please read this Privacy Policy (“Privacy Policy”) carefully. It provides information about how we collect, use, disclose, and otherwise process Personal Information when you visit, access, or use the Services (defined below). From time to time, we may update this Privacy Policy as described in the Changes to this Privacy Policy section below.

Please also review any applicable terms and conditions or Customer agreement, which also apply to the use of our Services. Terms that are defined in the applicable terms or agreement have the same meaning in this Privacy Policy unless this Privacy Policy specifies differently.

Residents of the European Economic Area (“EEA”) or another country other than the United States (“Non-US”) can learn about our privacy practices with respect to their Personal Information in the SUPPLEMENTAL NOTICE FOR EEA AND NON-US RESIDENTS below.

If you have any questions, comments, or concerns, please contact us.

‍          a. Our Services

This Privacy Policy applies to Personal Information that we collect, use, disclose, and otherwise process when you: 

• Access or use our website available at buoyant.io, buoyant.cloud, or any other website operated or made available by us where this Privacy Policy is posted (collectively, the “Website”);
• Access or use our products, such as the Buoyant enterprise solutions and any related products, tools, services or functionality we make available (“Products”); or
• Communicate with us through any written, electronic, or oral communications, including by email, text message, or phone, such as through events or marketing communications.

For purposes of this Privacy Policy, we refer to our Website, Products, and any other online service we provide that links to this Privacy Policy as the “Services.” Note that this Privacy Policy does not apply to or cover External Websites (see the Out of Scope External Websites section below).

          b. Cookies 

This Privacy Policy covers how we use and share Personal Information captured by cookies and similar tracking technologies such as pixels (collectively, “Cookies”). For more information about what cookies are and how to manage them, please review our Cookie Policy.

          c. Authorized Users and Customer Data

We provide the Products to organizations who have entered into an agreement with us for the access to and use of the Products (“Customers”) and solely for their benefit and the benefit of personnel or other individuals that they authorize to use the Platform (“Authorized Users”). We are data processors of the Customer Data (defined below) we may process on their behalf. Our processing of such Customer Data is governed by our applicable agreement with the Customer, and the Customer is responsible for the collection and use of such Customer Data. Our Customers determine their own policies for handling personal information, and Buoyant does not control our Customers’ policies or the manner in which they handle personal information.

          d. Out of Scope External Websites

When engaging in the Services, we may provide links to third-party websites, resources, or features we do not have a contractual relationship and over which we do not have control (collectively, “External Websites”). For example, websites for another company or integrated tools that enable you to share content via social media sites. This Privacy Policy does not apply to or cover External Websites. 

Such links are not paid advertisements, nor do they constitute an endorsement by us of those External Websites. By clicking on links to the External Websites, the operators of the External Websites may collect Personal Information. We are not responsible for the content or data collection practices of those External Websites, and your use of External Websites is subject to their respective terms of use and privacy policies. We encourage you to carefully read the privacy policy of any website you visit.

As used in this Privacy Policy, “Personal Information” or “Personal Data” means any information that identifies or could be used to identify an individual person. For example, Personal Information may include name, email address, and phone number. It also includes other non-public information that we associate with such identifying information. Personal Information does not include aggregated or anonymized information.

          a. Types of Personal Information

The types of Personal Information we collect are described below. Some privacy laws may use broader or different categories to describe these types of Personal Information. We refer to these categories in the How We Use Personal Information section below. 

          b. Sources of Personal Information

The Personal Information we collect and how we collect it depends on how you use the Services. We collect all types of Personal Information, identified above, from each of the following sources:

• Directly from you or our Customers. We collect Personal Information from you when you interact with us by filling out forms, corresponding with us, or using the Services. Our Customers may also provide us with information about their Authorized Users.
• From third-party or publicly available sources. Depending on the Services you use or how you use the Services, we collect and process Personal Information we receive from third parties and/or from publicly available sources, and we may combine Personal Information we receive from you with Personal Information we obtain from other sources. This may include third party services or subscriptions you choose to connect with the Services and partners with which we offer co-branded services or engage in joint marketing activities.
• Automatically. When you access or use the Services, we or our third-party agents or service providers automatically collect information about the device you use to access the Services and your activity when you use the Services.

          c. Customer Data

Depending on the Services you use and how you use them, we may collect, receive, or access the messages, files, data, Third-Party Account Data, or other content that our Customers and their Authorized Users input, upload, submit, transmit, import, or otherwise provide or make available to the Products (collectively, “Customer Data”). We process Customer Data pursuant to our agreements with our Customers. 

           d. Customer Data from Third Party Services 

If you elect to connect or integrate a third-party service or subscription with our Services, we will access and/or import the information that you direct us to access or import from that third-party service (“Third-Party Account Data”). Customers and Authorized Users should check the privacy settings and notices in these Third Party Services to understand what data may be disclosed to us.  

We only process Personal Information where there is a legal ground or lawful basis to do so and for the purposes described in the chart below. The applicable lawful basis depends on the Services you use and how you use them.  If we need to use your Personal Information for a different purpose, we will notify you and we will explain the legal basis which allows us to do so.

For EEA and Non-US residents, please contact us if you need details about the specific legal ground we are relying on to process Personal Information where more than one ground has been set out in the table below.

You may choose not to provide Personal Information to us. However, some Personal Information is necessary so that we can provide you with the Services you have requested. Failure to provide this information may prevent us from providing you with access to the Services.

We disclose all types of Personal Information to the third parties identified in the How We Disclose Personal Information section for the purposes described in the chart below.

We transmit, disclose, grant access, make available and provide all types of Personal Information mentioned above to third parties and with our authorized personnel that have a business need for access. The categories of third parties we disclose Personal Information to are described below.

If you are located in the EEA and other Non-US countries, please be aware that for some purposes of processing some of the third parties below may act as co-controllers in respect of your Personal Information.

          a. Other Authorized Users 

Other Authorized Users and Customer representatives and personnel may be able to access, modify, or restrict access to Personal Information. For example, Customer account administrators may access and control Authorized User accounts.When you share personal information or collaborate with other Authorized Users under your corporate Account, such information will be viewable and accessible by the other Authorized Users you’ve designated. 

          b. Other Users in Blogs or Forums

If you interact in or post to any public areas of the Services, such as blogs or other online forums we may offer, such information may be viewed by all users and may be publicly distributed outside the Services. We encourage you to be thoughtful as to how you interact with other users of the Services, and the information you publish or otherwise share within any public areas of the Services (for example, through comments and blog or forum posts).

           c. Third-Party Vendors

We disclose Personal Information with our third-party vendors, including consultants, agents, and contractors, that help us provide the Services or with any of the purposes described in this Privacy Policy. Depending on the Services you use and how you use the Services, the following categories of vendors may collect data on our behalf or receive Personal Information, for example:

• Advertising and marketing partners;
• Customer relationship management and customer support vendors;
• Event co-hosts and sponsors;
• Security and fraud-prevention providers;
• Professional advisors and agents, such as auditors, lawyers, consultants, accountants and insurers;
• Providers of business operations and communication tools, such as email and messaging software providers; 
• Other third-party vendors that help us provide features and functions for the Services; and
• Website hosting and analytics vendors.

          d. Payment Processors

For payments made via credit card, we work with a third-party payment processor to collect financial and payment information for the Services. Note that your financial and payment information is passed directly to the payment processor. We will not store your credit card or have access to it after a payment is submitted. Please review the payment processor’s privacy notice to learn more about how they collect, process, and protect your Personal Information.

          e. Legal, Compliance and Regulatory Purposes

We may disclose Personal Information if we believe that it is necessary to: 

• Comply with a law, regulation, legal process, or legitimate governmental request; 
• Protect the safety or security of the Services, users of the Services, or any person; 
• Investigate, prevent, or take action regarding illegal or suspected illegal activities; 
• Prevent spam, abuse, fraud, or other malicious activity of actors using or accessing the Services; or 
• Protect our rights or property or the rights or property of those who use the Services. 

Personal Information about our users will not be released to law enforcement except in response to an appropriate legal process such as a subpoena, court order, or other valid legal process that has been reviewed by us. However, if we receive information that provides us with a good faith belief that there is an exigent emergency, we may provide information to law enforcement trying to prevent or mitigate the danger, to be determined on a case-by-case basis.

          f. Business Transfers

We may disclose Personal Information to third parties we choose to acquire or with buyers, successors, or others in connection with a merger, divestiture, restructuring, reorganization, financing due diligence, dissolution, or other sale or transfer of some or all of our assets or transition of service to another provider, whether as a going concern or as part of bankruptcy, receivership, liquidation or similar proceeding, as permitted by law and/or contract.

          g. With Your Consent or Authorization

There may be situations where you are asked to consent to disclose Personal Information with third parties for additional reasons not included in this Privacy Policy.

Likewise, if you specifically authorize us to do so, we will share your information with other third parties. For example, you may request to transfer your Personal Information from us to a third-party under your applicable privacy rights.

We retain Personal Information for the purposes stated in this Privacy Policy and as required under applicable law. To determine how long we keep Personal Information, we consider the amount, nature, and sensitivity of Personal Information, the reasons for which we collect and process the information, and applicable legal requirements. For information about retention periods for specific types of Personal Information, please contact us.

We take our responsibility to protect the security and privacy of Personal Information seriously. To prevent Personal Information from being lost, used, accessed, altered, or disclosed in an unauthorized or unlawful way, we have implemented what we believe to be reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the Personal Information at issue. 

However, no method of transmission over the Internet, or method of electronic storage, is 100% secure, and we cannot and do not guarantee that Personal Information is completely secure and safe from such risks. By using the Services, you understand and assume the risks associated with your activities on the Internet.

The Personal Information that we collect or receive may be transferred to and processed in countries located outside of your country of residence to the countries where we or our third-party service providers process it. The data protection laws of the countries where Personal Information is processed may not be as comprehensive as or equivalent to those in your country of residence. Whenever we transfer Personal Information internationally, we take steps to protect it as required under applicable law.

Our Services are not intended for use by anyone younger than the age of 16 or under the applicable legal age of the relevant country. We do not knowingly collect Personal Information from children younger than the age of 16 without the consent of a parent or legal guardian, as required under applicable law. 

If you learn or believe that a child under the age of 16 has provided us with Personal Information, please contact us.

          a. Marketing Communications

To stop receiving, or opt-out of, promotional email communications from us, click on the "unsubscribe" link or follow the relevant opt-out instructions within the marketing communication. 

To stop receiving SMS marketing communications from us, you can opt out at any time by responding with the opt-out notice indicated in the SMS communication. 

If you opt-out of receiving marketing communications, we will still send you transactional communications, such as for responses to your requests or communications about your account.

If you need assistance unsubscribing or opting-out of marketing communications, please contact us.

          b. Third-Party Advertising and Analytics

We work with third-party network advertisers, ad agencies, and other advertising partners to serve our ads online. These third-party advertising and analytics partners may collect information about your activity on the Services using tracking technologies. We may use information about you to target ads to you and to allow our third-party advertising partners (e.g., Google) to manage our advertising on their websites. We also use third-party analytics providers to provide us with information regarding the use of the Services and the effectiveness of our advertisements. For information about the tracking technologies that these third parties use, please see the Cookie Policy.

               i. Your Privacy Preferences

To review and change your preferences regarding the use and disclosure of your Personal Information for third-party advertising and analytics, you can update your privacy preferences by clicking on the cookie icon on buoyant.io..

               ii. Do Not Track

Do Not Track ("DNT") is an optional browser setting that allows you to express your preferences regarding tracking by advertisers and other third-parties. At this time, we do not respond to DNT signals. For more information about what cookies are and how to manage them, please review the Cookie Policy.

We may update this Privacy Policy from time to time. When we update this Privacy Policy, we will revise the “Last Updated and Effective Date” at the top of this Privacy Policy and post a link to the updated Privacy Policy on the Services. Changes to this Privacy Policy are effective when they are posted. 

If we make any material changes, we will provide you with notice as required under applicable law. For example, we may send a message to your email address or generate a pop-up or similar notification when you access the Services for the first time after such material changes are made. Please review this Privacy Policy periodically to ensure you are aware of any such changes.

If you have any questions about this Privacy Policy or our privacy practices, please contact us at privacy@buoyant.io or by writing to us at:

Buoyant, Inc. 548 Market St, PMB 43038, San Francisco, CA 94104-5401

Attn: Legal Department

This Supplemental Notice for EEA and Non-US Residents supplements the information provided in this Privacy Policy and applies only to individuals located in the EEA, United Kingdom (“UK”), Switzerland, or another country other than the United States with a comprehensive data protection law who are within the scope of this Privacy Policy. 

For purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and relevant local data protection laws, we are (a) the data controller of Personal Information about users of the Services and (b) the data processor of Customer Data.

1. International Transfers

We rely on the Standard Contractual Clauses to provide an adequate level of data protection for the transfer of your Personal Information from the EEA, the UK, or Switzerland, where the country of import is not deemed adequate under applicable law.

2. Your Rights and How to Exercise Them

Under the GDPR and relevant local data protection laws, you may be able to exercise some or all of the following rights.

Please note that these rights are not absolute and we may refuse requests, in whole or in part, where exceptions under applicable law apply. Additionally, we may refuse to fulfill your request if it is unfounded, repetitive, or excessive.

          a. Identity Verification

To verify your identity, we may ask you to confirm Personal Information we already have on file for you. This is a security measure to help ensure that your Personal Information is not disclosed to any person who has no right to receive it and to help ensure that the person exercising the right is the person about whom the Personal Information relates.

If we cannot verify your identity from the information we have on file, we may request additional information, which we will only use to verify your identity and for security or fraud prevention purposes.

          b. Requests on Behalf of Another

Depending on your jurisdiction, an authorized third party may make privacy rights requests on your behalf. As a security measure, we may require the authorized third party to provide proof that they have been authorized directly by you to act on your behalf.

3. Questions and Complaints

You have the right to make a complaint at any time to the supervisory authority for data protection issues in your country of residence. We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority, so please contact us.

For more information on how to contact your data protection authority if you are located in the EEA, the UK, or Switzerland, please see:

• ‍EEA Data Protection Authorities (DPAs)
• Swiss Federal Data Protection and Information Commissioner (FDPIC)
• UK Information Commissioner’s Office (ICO)