Last updated: September 20 2022
When we refer to “Miro”, we mean the Miro entity that acts as the controller or processor of your personal data, explained in more detail in the “Identifying the Data Controller and Processor” section below.
The organization (e.g., your employer or another entity or person) (“Customer”) that entered into the Terms of Service or the Master Cloud Agreement (“Customer Agreement”) controls its instance of the Services (its “Organization”) and any associated Customer Content. Individuals that are granted access to an Organization by a Customer (“Authorized Users”) routinely submit Customer Content to Miro when using the Services.
If you have any questions about specific Organization settings and privacy practices, please contact the Customer whose Organization you use. If you have received an invitation to join an Organization but have not yet created an account, you should request assistance from the Customer that sent the invitation.
Identifying the Data Controller and Processor
Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of personal data. In general, Customer is the controller and Miro is the processor of Customer Content.
As the controller for Customer Content, Customer may, for example, use the Services to grant and remove access to an Organization, assign roles and configure settings, access, modify, export, share and remove Customer Content and otherwise apply its policies to the Services.
As the processor for Customer Content, Miro processes Customer Content only on Customer’s request and in accordance with Customer’s written instructions, including the applicable terms in the Customer Agreement, Customer’s use of the Services, and as required by applicable law. For more information about how Customer Content is processed (such as how your personal data is processed, the purpose and legal basis for processing, and your data subject rights), we refer you to the relevant Customer’s privacy notice.
Miro is the controller for certain other categories of data (described in paragraph 3 below). If you have any questions or complaints, or would like to exercise your rights with regard to your personal data, please contact us at firstname.lastname@example.org.
The types of personal data we collect
Your personal data is provided by you, obtained from third parties, and/or created by us when you use the Services.
Miro may collect and receive Customer Content and other personal data (“Other Data”) in a variety of ways:
Customer Content. Customers or Authorized Users routinely submit Customer Content to Miro when using the Services.
Other Data. Miro also collects, generates and/or receives Other Data:
Organization and account information. To create or update an Organization account, you or the relevant Customer (e.g. your employer) will supply Miro with an email address, phone number, password, domain and/or similar account details. This may also happen if you are a Free, Team or Business User whose employer purchases an Enterprise version of the Services. In addition, Customers that purchase a paid version of the Services provide Miro (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.
Service metadata. When an Authorized User interacts with the Services, metadata is generated to provide additional context about their use of the Services. For example, Miro logs the Organizations, boards, people, features, content and links that you view or interact with, as well the types of files shared and any Third-Party Services that you use.
Log data. Like most websites and services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services, recording this information in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, your browser type and settings, the date and time the Services were used, information about browser configuration and plugins, and language preferences.
Device data. Miro collects information about devices accessing the Services, including the type of device, operating system used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Data often depends on the type of device used and its settings.
Location data. We receive information from you, the relevantCustomer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer or an IP address received from your browser or device to determine approximate location. Miro may also collect location information from devices in accordance with the consent provided by your device.
Third-party data. Miro may receive data about organizations, industries, lists of companies that are customers, Website visitors, marketing campaigns and other matters relevant to our business from parent corporations, affiliates and subsidiaries, our partners, or other third parties that we use to make our own information more useful. This data may be combined and may include aggregate-level data. For example, information about how well an online marketing or email campaign performed, or to create a business contacts directory.
Cookie data. Miro uses a variety of cookies and similar technologies in our Websites and Services to help us collect Other Data. For more details about how we use these technologies, as well as your opt-out opportunities and other options, please see our Cookie Notice.
Email performance data. Miro uses a ‘clear image’ (gif) in email communications in order to track engagement and performance metrics. Much of this data is aggregated and does not contain personal data. If you wish to turn off this tracking, you can do so by turning off images in the email itself.
Third-Party Services data. A Customer may choose to use Third-Party Services. If Customer enables Third-Party Services, Miro may access and exchange Customer Content and Other Data with the Third-Party on Customer’s behalf, in accordance with our agreement with the Third-Party Services and any permissions granted by the Customer (including its Authorized User(s)).
Contactdata. In accordance with the consent provided by your device or other third-party API, we process any contact information that an Authorized User chooses to import when using the Services.
Community data. We also receive Other Data when submitted to our Websites or in other ways, such as if you participate in the Miro Community, Miro Academy, or Miroverse. This data is either submitted directly to the Services, or collected during Forums, Programs, contests, activities, events, or educational programs hosted by Miro (or a vendor).
Call data. Our Customer Success team may record video or telephone calls with Customers for the purposes of training and quality assurance. You will be notified of this when a recording is made, and can request that Miro does not record these calls.
Additional data provided to Miro. We also receive Other Data when submitted to our Websites or in other ways, such as when you request support, interact with our social media accounts or otherwise communicate with Miro.
Business data. Miro may receive information about individuals from organisations, industries, Customers, (potential) partners, parent corporations, affiliates and subsidiaries, and our partners for cooperation and communication purposes.
Generally, no one is under a statutory or contractual obligation to provide any Customer Content or Other Data (collectively, “Personal Data”). However, certain Personal Data is collected automatically and, if some Personal Data, such as Organization setup details, is not provided, we may be unable to provide the Services.
How we use personal data
Customer Content will be used by Miro in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of the Services, and as required by applicable law.
Miro uses Other Data for the purposes of our legitimate interests in operating our Services, Websites and business. More specifically, Miro uses Other Data:
To provide, update, maintain and protect our Services, Websites and business. This includes the use of Other Data to support delivery of the Services under a Customer Agreement, including to create or update an Organization, to prevent or address service errors, security or technical issues, and to analyze and monitor usage, trends and other activities.
To provide, update, maintain and otherwise operate the Miro Community, Miro Academy and Miroverse. This includes facilitating collaboration and interaction between Users when engaging with the Miro Community or Miroverse, and/or recording learners’ progress and certifications in Miro Academy.
As required by applicable law, legal process or regulation.
To support and communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Other Data to respond.
To develop, test and provide search, learning and productivity tools and additional features. Miro tries to make the Services as useful as possible. For example, we make Services suggestions based on historical use and predictive models, identify organizational trends and insights, customize your experience of the Services, or to create new features and products.
To conduct market and user research. To improve our Services and troubleshoot new products and features, we may carry out research. For example we may survey Customers (including Admins, Users and other contacts) or third parties about customer satisfaction, user experience, the effectiveness of our marketing campaigns, and their broader interests.
To send emails and other communications.
Transactional: As part of our services, we provide users with certain communications and updates, We may send you service, transactional, technical and other administrative communications, such as communications about your account, our Service offerings, changes to the Services, and important Services-related notices, such as security and fraud notices. We consider these communications as part of our Services to you.
Soft opt-in / Legitimate Interests: In addition, where you are a non-enterprise user or you if you have opted-in as an enterprise user, we sometimes send emails about new product features, recommendations and promotional communications, or other news about Miro. You can opt-out of these messages at any time by using the unsubscribe link included in all of these communications.
For billing, account management and other administrative matters. Miro may need to contact you for invoicing, account management, and similar reasons and we use account data to administer accounts and keep track of billing and payments.
To investigate and help prevent security issues and abuse.
To manage and to contact you with regard to involvement. We may need to manage and contact you with regard to your involvement and participation in the Miro Community (such as the Forums, Programs, Miroverse, contests, activities, events or educational programs hosted by Miro or a vendor).
Further, note that we may keep certain types of Other Data after the deactivation of an account for the period needed for Miro to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements.
How we share and disclose personal data
This section describes how Miro may share and disclose personal data, as described in paragraph 3 above. Customers determine their own policies and practices for the sharing and disclosure of personal data. Miro does not control how they or any other third party chooses to share or disclose personal data.
Miro may share and disclose personal data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and the Customer’s use of the Services and in compliance with applicable law. Where necessary, may only share personal data with third parties where we have obtained consent to do so.
We may share personal data as follows:
Displaying the Services. When an Authorized User submits Customer Content (including personal data), it may be displayed to other Authorized Users that have access to the same Miro Board. For example, an Authorized User’s name and Miro profile may be displayed. Please consult the Help Center for more information on this functionality.
Customer access. Owners, administrators, Authorized Users, and other Customer representatives and personnel may be able to access, modify, or restrict access to personal data. This may include, for example, your employer using Service features to export logs of your activity or accessing or modifying your profile details..
Subcontractors. We may engage third-party companies or individuals as sub-processors to process personal data. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships to support our Customers. Please see more information on our subcontractors here.
Third-Party Services. Customers may enable Third-Party Services. When enabled, Miro may access and exchange Customer Content with the provider of a Third-Party Service on Customer’s behalf. Third-Party Services are not owned or controlled by Miro and third parties that have been granted access to personal data may have their own policies and practices for its collection, use, and sharing. Please check the permissions, privacy settings, and notices for these Third-Party Services or contact the relevant provider with any questions.
Partners. We may share personal data with developers, partners and others we engage to create Miro applications and/or integrating Miro features.
Forums. The information you choose to provide in a community forum, including personal data, will be publicly available.
Corporate Affiliates. Miro may share personal data with its corporate affiliates, parents and/or subsidiaries for business continuity purposes.
During a change to Miro’s business. If Miro engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Miro’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities, some or all personal data may be shared or transferred, subject to standard confidentiality arrangements.
To comply with laws. If we receive a request for personal data, we may disclose personal data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of Miro, its users, or third parties, including enforcing its contracts or policies, or in connection with investigating and preventing illegal activity, fraud, or security issues, including to prevent death or imminent bodily harm.
Miro takes security of personal data very seriously. Miro strives to protect all Personal Data from loss, misuse, and unauthorized access or disclosure, and we have received internationally recognized security certifications. To learn more about current practices and policies regarding security and confidentiality of the Services, please see our Trust Center and Security FAQs. Given the nature of communications and information processing technology, Miro cannot guarantee that, during transmission through the internet or while stored on our systems or otherwise in our care, personal data will be absolutely safe from intrusion by others.
In addition, we take additional steps to protect any personal data about you that we process for the Miro Customer Experience Program, including pseudonymization applied to Other Data, and anonymization applied to Customer Content.
Our responsibility for third party links
Our Services may contain links to websites and services operated by third parties. If you follow a link to any of these websites, please note that these websites have their own privacy notices and terms and conditions. Further, we have no responsibility for, or control over, the information collected by any third-party website and we cannot be responsible for the protection and privacy of any information which you may provide to these websites. You should read the relevant privacy notices and terms and conditions before using their websites or services.
Miro does not allow use of our Services and Websites by anyone younger than 16 years old (“Minor”). If you learn that a Minor has unlawfully provided us with personal data, please contact us and we will take steps to delete this information.
By using our Services and Websites, you represent and warrant that you are not a Minor as of the date of first access to our Services and Websites.
If you are a Minor, you represent and warrant that you are accessing the Services and Websites with the consent of a competent guardian over the age of 16 years old who takes responsibility for your use of the Services and Websites. If you are a Minor accessing Miro via an education institution, that institution will have procured a licence on your behalf and agreed to our terms and conditions. In particular, it will have agreed that it has obtained all necessary consents and will take responsibility for your use of the Services and Websites.
If you are based in the European Union, the following provisions also apply:
GDPR means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
Member State means a member state of the European Union.
If we share your personal data with our group company(ies) or third parties located outside the European Economic Area, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal data, such as by entering into the Standard Contractual Clauses adopted by the European Commission (article 46(2)(c) GDPR), which are available here.
Where we are the controller of your personal data, the GDPR data protection rights set out below apply to you. Most of these rights are not absolute and are subject to exemptions under applicable law. We will respond to any request to exercise your rights within one month, but have the right to extend this period in certain circumstances. If we extend the response period, we will let you know within one month from your request. If your request is clearly unfounded or excessive, we reserve the right to charge a reasonable fee or refuse to comply with it. To exercise these rights, please submit a request to us by sending an email to email@example.com.
Access your personal data. You are entitled to ask us if we are processing your personal data and, if we are, you can request access to your personal data. This enables you to receive a copy of the personal data we hold about you.
Request the transfer of your personal data. We will provide your personal data to you or a third party you have chosen in a structured, commonly used, machine-readable format. Please note that this right applies only to personal data you have provided to us, and only if we process your personal data on the basis of consent, or where we process your personal data in order to perform a contract with you.
Request erasure (deletion) of your personal data. You are entitled to ask us to delete or remove personal data in certain circumstances. There are certain exemptions where we may refuse a request for erasure. For example, where the personal data is required for compliance with law or in connection with legal claims. Where we rely on an exemption, we will inform you about this.
Request the correction or updating of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected.
Request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place.
Object to our processing of your personal data where we are relying on legitimate interests. You also have a right to object where we are processing your personal data for the purposes of direct marketing or profiling. You can object at any time and we shall stop processing the information you have objected to, unless we can show compelling legitimate grounds to continue that processing.
Withdraw your consent. Where you have provided your consent to our processing of your personal data, you can withdraw your consent at any time. If you do withdraw consent, it will not affect the lawfulness of what we have done with your personal data before you withdrew consent.
Lodge a complaint at a supervisory authority. We will do our best to resolve any complaints you may have. However, if you feel we have not resolved your complaint, you have a right to lodge a complaint with a supervisory authority in the country where you live, where you work, or where an alleged infringement of the applicable data protection law took place. A list of EU supervisory authorities and their contact details is available here.
If you exercise the rights above and there is any question about who you are, we may require you to provide information in order to satisfy ourselves as to your identity.
If you are based in the United Kingdom, the following provisions apply:
UK GDPR means the Retained Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
If we share your personal data with our group company(ies) or third parties located outside the United Kingdom, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your personal data, such as by entering into the international data transfer addendum to the European Commission’s Standard Contractual Clauses, adopted by the UK Government under section 119A of the Data Protection Act 2018..
In relation to your data subject rights, paragraph 11(d) above applies, except that references to the "GDPR" will be read as references to the "UK GDPR", and in case wish to lodge a complaint with a supervisory authority, you may direct your complaint to the UK supervisory authority, the Information Commissioner’s Office.
If you are based in California, the following provisions apply:
California Data Protection Laws means the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020, as each may be amended or replaced from time to time, and any regulations implementing the foregoing.
Under the California Data Protection Laws you have the following rights:
Right to Know about Personal Information Collected, Disclosed or Sold. You have the right to request that we disclose certain information to you about our collection, use, disclosure or sale of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access and Deletion Rights), and subject to certain limitations that we describe below, we will disclose such information. You have the right to request any or all of the following:
The categories of personal information we collected about you.
The categories of sources from which the personal information is collected.
The categories of third parties with whom we share that personal information.
The specific pieces of personal information we collected about you (also called a data portability request).
Notice of Sale. We do not sell the personal information of California residents. We also do not have any actual knowledge of selling the personal information of any California resident who is 16 years or younger.
Right to Request Deletion. You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records. However, we may retain personal information that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) in order to perform certain actions set forth under the California Data Protection Laws, such as detecting security incidents and protecting against fraudulent or illegal activity.
Exercising Access and Deletion Rights. To exercise the access and deletion rights described above, please submit a request to us by sending an email to firstname.lastname@example.org. Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child. The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide adequate information that we can reasonably verify that you are the person about whom we collected the personal information (including information that enables us to verify the identifying information we possibly maintain about you).
We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing. In order to protect the security of your personal information, we will not honour a request if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. The method used to verify your identity will depend on the type, sensitivity and value of the information, including the risk of harm to you posed by any authorized access or deletion. Generally speaking, verification will be performed by matching the identifying information provided by you to the personal information that we already have.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request (and will not be made more than twice in a 12-month period). If we cannot comply with a request, or cannot fully comply with a request, the response we provide will also explain the reasons we cannot comply.
Non-Discrimination. We will not discriminate against you for exercising any of your CCPA based on the California Data Protection Laws, including, but not limited to, by:
Denying you goods or services.
Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Providing you a different level or quality of goods or services.
Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.