Netlify Privacy Statement

Last updated: February 13, 2024

This Privacy Statement applies to Netlify, Inc. and/or its affiliated entities (“Netlify”, “we”, or “us”) when we act as the controller of your Personal Data. Netlify’s affiliates are listed in Section 16 below. However, this Privacy Statement does not apply to data we process as a service provider or data processor on behalf of our enterprise customers. Such data processing activities are governed by our Data Processing Agreement. If you use the Netlify Services as part of your organization (for example, you are an employee), you should read your organization’s privacy statement and direct any inquiries to that organization.

Netlify takes your privacy seriously. We will not sell, lease, or exchange your personal data to, or otherwise share your personal data with, third parties in ways other than described in this Privacy Statement.

1. Applicability

This Privacy Statement applies when Netlify acts as controller of your Personal Data such as:

2. Personal Data Netlify Collects

The categories of Personal Data that we collect depend on how you use the Netlify Services or the Website.

(i) Information You Provide Directly

(ii) Information We Collect Automatically

(iii) Information We Receive from Third-parties

3. Purposes for which Netlify Processes Personal Data and Legal Basis

4. Disclosure of Personal Data

We may share your Personal Data with third parties, such as:

5. International Transfer of Personal Data

Your Personal Data may be collected, transferred to and stored by Netlify outside of the country of collection to and by our affiliates.

Your Personal Data may be processed outside your country or jurisdiction, including in places that are not subject to an adequacy decision by the European Commission, and that may not provide for the same level of data protection as the General Data Protection Regulation (“GDPR”). When we engage in cross-border transfers to countries that do not ensure the same level of data protection, we use a variety of legal mechanisms, including the standard contractual clauses published by the European Commission under Commission Implementing Decision 2021/914, to help protect your rights and enable these protections to travel with your data. For transfers to the United States, see below Section13 “Data Privacy Framework”.

6. Children's Privacy

We do not knowingly provide the Services to, and will not knowingly collect the personal information from anyone under the age of 16.  If you are a parent or guardian of a minor child and believe that a child has disclosed online personal data to us, please contact us using the details provided in Section 17.  If we learn or have reason to suspect that a user is under the age of 16, we will close the account.

7. Data Retention

We may retain your Personal Data for a period of time consistent with the original purpose of collection or as long as required to fulfill our legal obligations. We determine the appropriate retention period for Personal Data on the basis of the amount, nature, and sensitivity of the Personal Data being processed, the potential risk of harm from unauthorized use or disclosure of the Personal Data, whether we can achieve the purposes of the processing through other means, and on the basis of applicable legal requirements (such as applicable statutes of limitation). After expiry of the applicable retention periods, your Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will implement appropriate measures to prevent any further use of such data. For more information on data retention periods, please contact us by using the information in Section 17.

8. Your Rights

(i) Your Rights Relating to Your Personal Data

You may have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws these rights may include the right to:

Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection.

Please note that Automated Decision-Making currently does not take place on our websites or in the Netlify Services.

(ii) How to Exercise Your Rights

To exercise your rights, please contact us by using the information in Section 17. Your Personal Data may be processed in responding to these rights. We try to respond to all legitimate requests within one month unless otherwise required by law, and will contact you if we need additional information from you in order to honor your request or verify your identity. Occasionally it may take us longer than a month, taking into account the complexity and number of requests we receive. If you are an employee of a Netlify customer, you should contact your employer’s system administrator for assistance in correcting or updating your information.

(iii) When We Act as Processor

As described above, we may also process Personal Data submitted by or for a customer to the Netlify Services. To this end we process such Personal Data as a processor on behalf of our customer (and its affiliates) who is the controller of the Personal Data. We are not responsible for and have no control over the privacy and data security practices of our customers, which may differ from those explained in this Privacy Statement. If your data has been submitted to us in our role as a processor by or on behalf of a Netlify customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with them directly. We may only access a customer’s data upon their instructions, therefore if you make your request directly to us we will refer your request to that customer (provided you identify who the customer is), and will support them as needed in responding to your request within a reasonable timeframe.

9. Marketing Communications

If we process your Personal Data for the purpose of sending you marketing communications, you may manage your receipt of marketing and non-transactional communications from Netlify by clicking on the “unsubscribe” link located on the bottom of Netlify marketing emails. Please note that opting out of marketing communications does not opt you out of receiving important business communications related to your current relationship with Netlify, such as communications about your subscriptions or event registrations, service announcements or security information.

If you want your phone number to be added to our internal Do-Not-Call telemarketing register, please contact us by using the information in Section 17 below. Please include your first name, last name, company and the phone number you wish to add to our Do-Not-Call register.

Alternatively, you can always let us know during a telemarketing call that you do not want to be called again for marketing purposes

10. External Links

During your interactions with us, you may come across links to external sites or other online services, included in those embedded within third party advertisements.  It is important to note that we do not have control over, and are not responsible for the privacy practices or the content of these third-party sites. We strongly encourage you to review the privacy policy of linked third-party sites, if you have any questions about their privacy practices, as their privacy policies and practices may vary from our own.

11. Data Security at Netlify

We will strive to prevent unauthorized access to your personal information, however, no data transmission over the Internet, by wireless device or over the air is guaranteed to be 100% secure. We will continue to enhance security procedures as new technologies and procedures become available.

We strongly recommend that you do not disclose your password to anyone. If you forget your password, we will ask you for your ID and send you an email containing a link that will allow you to reset your password.

Please remember that you control what personal information you provide while using the Netlify Services. Ultimately, you are responsible for maintaining the secrecy of your identification, passwords and/or any personal information in your possession for the use of the Netlify Services. Always be careful and responsible regarding your personal information. We are not responsible for, and cannot control, the use by others of any information which you provide to them and you should use caution in selecting the personal information you provide to others through the Netlify Services. Similarly, we cannot assume any responsibility for the content of any personal information or other information which you receive from other users through the Netlify Services, and you release us from any and all liability in connection with the contents of any personal information or other information which you may receive using the Netlify Services. We cannot guarantee, or assume any responsibility for verifying, the accuracy of the personal information or other information provided by any third party. You release us from any and all liability in connection with the use of such personal information or other information of others.

You can find more information on how we protect content provided to Netlify in using the Netlify Services, as well as any data transmitted and processed through your account on the Netlify Service, here: https://www.netlify.com/security/.

12. Changes to this Privacy Statement

We will update this Privacy Statement from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. If we do, we will update the “effective date” at the top. If we make a material update, we may provide you with notice prior to the update taking effect, such as by posting a notice on our website or by contacting you directly, or where required under applicable law and feasible, seek your consent to these changes.

We encourage you to periodically review this Privacy Statement to stay informed about our collection, processing and sharing of your Personal Data.

13. Data Privacy Framework

Netlify, Inc. and Jamstack Innovation Fund comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Netlify, Inc. and Jamstack Innovation Fund have certified to the U.S. Department of Commerce that they adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Netlify, Inc. and Jamstack Innovation Fund have certified to the U.S. Department of Commerce that they adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data privacy framework website.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Netlify, Inc. and Jamstack Innovation Fund commit to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

The Federal Trade Commission has jurisdiction over Netlify, Inc. and Jamstack Innovation Fund compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).

In certain circumstances, the DPF provides the right to invoke binding arbitration to resolve complaints not resolved by other means, as described in Annex I of the DPF Principles.

If we share data with third parties as detailed in in paragraph 4, Netlify has signed contracts with such third parties restricting their access, use and disclosure of personal data in compliance with our obligations under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, including the onward transfer provisions, and Netlify remains liable if they fail to meet those obligations and we are responsible for the event giving rise to damage.

14. California Residents

If you are a California resident, you have the rights listed below, as recognized by the California Consumer Privacy Act (CCPA). However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.

In order to submit a request to exercise your right of information, access, or deletion pursuant to the CCPA, please follow the instructions for submitting a request detailed in this Privacy Statement. Please note, we reserve the right to confirm your California residence to process your requests and may need to confirm your identity to process certain requests. For example, we take reasonable precautions to verify the identities of those California residents submitting requests to delete or access Personal Information.

Right to Opt Out of the Sale and Sharing of Your Personal Information

We do not sell your Personal Information in the conventional sense (i.e., for money). Like many companies, however, we use services that help deliver interest-based ads to you and may transfer Personal Information to business partners for their use. Making Personal Information (such as online identifiers or browsing activity) available to these companies may be considered a “sale” or “sharing” of your Personal Information under the CCPA.

In addition, some internet browsers offer the option to enable opt-out signals such as Global Privacy Control that lets you tell websites that you do not want to have your online activities tracked. We  respond to these signals by processing them as a request to opt out of the “sale” or “sharing” of your Personal Information as discussed above.

Please note that you will still see some advertising, regardless of your selection. We do not impose verification protocols for processing opt out requests unless we have reason to question the authenticity of a requester’s identity, in which case we may request evidence of identity and California residency.

15. Supplemental Information for the EEA, Switzerland, and the U.K. 

“Personal Data” as referenced in this Privacy Statement means “personal data” as that term is defined under the European Union (“EU”) General Data Protection Regulations (“GDPR”) and its United Kingdom (“UK”) GDPR counterpart. If you are an individual from the European Economic Area (the “EEA”), the UK or Switzerland, please note that our legal basis for collecting and using your Personal Data will depend on the Personal Data collected and the specific context in which we collect it. As detailed in Section 2, we normally will collect Personal Data from you only where: (a) we have your consent to do so, (b) where we need your Personal Data to perform a contract with you (e.g. to deliver the Netlify Services you have requested), or (c) where the processing is in our legitimate interests. Please note that in most cases, if you do not provide the requested information, Netlify will not be able to provide the requested service to you.

In some cases, we may also have a legal obligation to collect Personal Data from you, or may otherwise need the Personal Data to protect your vital interests or those of another person. Where we rely on your consent to process your Personal Data, you have the right to withdraw or decline consent at any time. Where we rely on our legitimate interests to process your Personal Data, you have the right to object by emailing us at privacy@netlify.com

16. Netlify Affiliates

Stackbit, Inc.; Gatsby, Inc.; Netlify Canada Limited; Netlify EMEA Limited; Netlify UK Limited.

17. Contact Us

If you have any questions or suggestions regarding our Privacy Statement, please contact us at privacy@netlify.com, or write us at:

Netlify, Inc.
512 2nd Street, Fl 2
San Francisco, CA 94107

When you contact us, please indicate in which country and/or state you reside.

If you believe that we have not been able to assist with your complaint or concern, and you are located in the European Economic Area or the United Kingdom, you have the right to lodge a complaint with the competent supervisory authority.  If you work or reside in a country that is a member of the European Union or that is in the EEA, you may find the contact details for your appropriate data protection authority on the following website.