This document was last updated on 25 November 2015.
What personal data do we collect?
We may collect personal data such as your name, company position, address, telephone number, mobile number, fax number, email address, credit card details, age, IP address, and account usernames.
How do you use my personal data?
Browsing our Site
Every time you connect to the Site, we store a log of your visit that shows the unique number your machine uses when it is connected to the Internet - its IP address. This tells us what your machine has looked at, whether the page request was successful or not and which browser your machine used to view the pages. This data is used for statistical purposes as well as to help customize the user experience as you browse the Site and subsequently interact with Sophos and our partners. This helps us to understand which areas of the Site are of particular interest, which pages are not being requested, and how many people are visiting the Site in total. It also helps us and our partners to determine which products and services may be of specific interest to you. We may attempt to contact you through these details if necessary, including, without limitation, when you are using the wrong paths to access the Site or are breaching restrictions on the use of the Site. We may also use this information to block IP addresses where there is a breach of the Terms and Conditions for use of the Site.
If you are making a job application or inquiry, you may provide us with a copy of your CV or other relevant information. We may use this information for the purpose of considering your application or inquiry. Except when you explicitly request otherwise, we may keep this information on file for future reference.
Our resellers and distributors may visit our partner portal Site. We may use the customer and prospect information provided on that Site in order to provide the products and services.
If you obtain products or services from us, we may use your contact details and (where applicable) payment information for the purposes of (i) providing training, customer support and account management, (ii) order processing and billing, (iii) verifying your usage of the products and services in accordance with the terms and conditions of your agreement with us, (iv) carrying out end user compliance checks for export control purposes; (v) issuing license expiry, renewal and other related notices, and (vi) maintaining our company accounts and records.
Product and service related data
If you purchase or use our products or services, we may collect the following types of information: (i) product type, product version, product features and operating systems being used; (ii) processing times; (iii) customer identification code and company name, and (iv) IP address of the machine which returns the above listed information.
We may use such information for purposes which include but are not limited to:
- verifying your credentials and compliance with any usage restrictions,
- carrying out end user compliance checks for export control purposes,
- providing the products/services and any associated maintenance and technical support,
- providing virus, incident and other alerts, and information about product upgrades, updates, renewals and product lifecycle changes,
- providing maintenance and technical support,
- providing information about product upgrades, updates and renewals,
- generating logs, statistics and reports on service usage, service performance and malware infection,
- evaluating, developing and enhancing products, services, and our infrastructure,
- planning development roadmaps and product lifecycle strategies.
Some products and services also collect or generate an ID code for each machine which reports back to us. This ID code is only used to enable us to distinguish between unique machines so that (i) we do not duplicate reports from the same source; and (ii) we can determine the number of unique machines that are using the products and services. If this ID code is collected together with other information which could identify an individual when combined, we anonymize the ID code to prevent this from occurring.
Certain products and services may include features that collect additional personal data for other purposes, as described below. For detailed information, please also refer to the applicable product or service description.
Sophos Home Products
We may directly and remotely communicate with your protected devices for the purposes of, without limitation (i) applying policy and configuration changes to such devices; and (ii) extracting usage information, service performance information, and infection logs.
In order to continuously improve the protection levels in the Sophos Home products, it may be necessary for us to collect and process certain information relating to you and to users connected to your account. You acknowledge and agree that the information we collect may include confidential and/or personal data, including without limitation (i) names and email addresses; (ii) account usernames; (iii) IP addresses; (iv) usage information; (v) details of changes or attempted changes to executable files, pathnames and scripts, (vi) infection logs; and (vii) files suspected of being infected with malware. We are committed to safeguarding the privacy of your personal data and will never share this outside Sophos.
You warrant that you have obtained all necessary permissions and provided the necessary notifications to share the above information with us for the purposes described from all users connected to your account.
Sophos Mobile Security
When an application is downloaded on a device or the user initiates a check of all installed applications on an Android device, Sophos Mobile Security sends queries to our cloud infrastructure in order to validate the reputation of the applications. Each query contains a fingerprint generated from the Android application (the APK file) under investigation.
A unique device identifier is also generated locally on each mobile device during installation of Sophos Mobile Security. We do not associate this identifier with any personal data. Periodically the product sends statistical feedback packets to us, including the unique device identifier and service performance information.
Sophos Firewall Products
You acknowledge and agree that the Sophos Firewall and Firewall Manager Products may provide us with the below information, which will be used for the purpose of improving product stability, prioritizing feature refinements and enhancing protection.
(a). Configuration and Usage Data, including without limitation (i) device model, firmware and license information, such as model, hardware version, vendor, firmware version, and country; (ii) aggregated product usage information, such as product features in use (on/off, count), amount of configured objects, policies, managed devices, groups, templates (iii) CPU, memory, and disk usage information; (iv) product errors; and
(b). Application Usage and Threat Data, including without limitation (i) IPS alerts; (ii) virus detected and the URL where the virus was found; (iii) spam; (iv) ATP threats; and (v) applications used and unclassified applications.
Information about unclassified applications is used to improve and enlarge network visibility and the application control library.
(c). Monitoring Threshold Data, includes (i) monitoring threshold values per model; and (ii) alert threshold criteria and values per model.
Monitoring Threshold data is used to improve the default threshold settings and alert criteria included within the product across models.
Configuration and Usage Data does not include user-specific information or personal data and cannot be disabled. Application Usage and Threat Data, and Monitoring Threshold Data collection is enabled by default, but you may disable collection of such data within the product at any time.
Sophos Mobile Control
When Sophos Mobile Control is installed or updated, you may receive Apple push notifications, Google cloud to device messaging for Android, SMS text messages, and other remote communications.
Sophos Mobile Control will store a list of users and mobile devices, and will record any applications downloaded or modifications made to such devices. Your administrator can also configure Sophos Mobile Control to track the geographic location of mobile devices and to lock or wipe a mobile device that has been lost or stolen.
Sophos Cloud Products
We may directly and remotely communicate with your protected devices for the purposes of, without limitation (i) applying policy and configuration changes to such devices; and (ii) extracting usage information, service performance information, and infection logs. Such communications may include but not be limited to SMS text messages and other push notifications.
You acknowledge and agree that it may be necessary for us to collect and process certain information relating to individuals in order to provide the Cloud products, and that such information may include proprietary, confidential and/or personal data, including without limitation (i) names, email addresses, telephone numbers and other contact details; (ii) account usernames; (iii) IP addresses; (iv) usage information; (v) lists of all software, files, paths and applications installed on the device, (vi) details of changes or attempted changes to executable files, pathnames and scripts, (vii) logs of websites visited; (viii) infection logs; and (ix) files suspected of being infected with malware.
Certain Cloud products may also (at your sole option) enable you to configure the product to (i) track and log the geographic location of devices; (ii) block access to devices; (iii) delete the content of devices; (iv) store text and email messages that were sent and/or received by devices. Such information may also be stored on the device itself and accordingly we recommend that you encrypt your devices.
You warrant that you have obtained all necessary permissions and provided the necessary notifications to share the above information with us for the purposes described. You also acknowledge and agree that it may be necessary under applicable law to inform and/or obtain consent from individuals before you intercept, access, monitor, log, store, transfer, export, block access to, and/or delete their communications. You are solely responsible for compliance with such laws.
Sophos Cloud Portal
If you select “Enable Partner Access” in the Settings tab of your Sophos Cloud portal, your designated third party partner or service provider will be able to access and administer your Sophos Cloud services on your behalf. If you do not enable such access, your designated third party partner or service provider will only see high-level reporting information such as Sophos Cloud services purchased and current usage information. You may revoke such access at any time by changing the permissions in the Settings tab.
If you participate in surveys, we may use your personal data to carry out market research. This research is conducted for our internal business and training purposes and will improve our understanding of our users’ demographics, interests and behaviour. This research is compiled and analysed on an aggregated basis and therefore does not individually identify any user.
Marketing and promotions
We (or our resellers or other selected third parties acting on our behalf) may contact you from time to time in order to provide you with information about products and services that may be of interest to you. All marketing emails that we send to you will follow the email guidelines described below. You have the right to ask us not to process your personal data for marketing purposes, but if you do so, we may need to share your contact information with third parties for the limited purpose of ensuring that you do not receive marketing communications from them on our behalf.
We adhere to the following guidelines in relation to our email communications:
- emails will clearly identify us as the sender,
- emails will include our physical postal address,
- emails sent to you for marketing purposes will include an option to unsubscribe from future email messages,
- you may unsubscribe from all mailing lists, with the exception of any emails regarding legal notices, invoicing, product updates, upgrades or license renewals,
- any third parties who send emails on our behalf will be required to comply with legislative requirements on unsolicited emails and the use of personal data.
We send emails from a number of different domains in both plain text and HTML email formats. Emails are usually sent using sender email addresses at:
Emails offering software downloads or free product trials will usually link to web pages on www.sophos.com or www.web.sophos.com. If you receive an email which claims to come from us but does not use these domains, or if you are suspicious that an email may not be approved by us, then please send a copy of the email to email@example.com so we can investigate.
We have published best practice guidelines to help internet users learn how to avoid phishing emails at http://www.sophos.com/security/best-practice/phishing.html.
With whom might we share your personal data?
As a global company, we have international sites and users all over the world. When you give us personal data, that data may be used, processed or stored anywhere in the world, including countries outside the EEA.
In the event that we receive requests from government departments, agencies or other official bodies, we will only disclose your information if and to the extent that we believe we are legally required to do so (for example upon receipt of a court order, warrant, subpoena or equivalent).
Except as set out above, we will not disclose your personal data save where we need to do so in order to enforce our rights.
We endeavour to hold all personal data securely in accordance with our internal security procedures and applicable law.
Unfortunately, no data transmission over the Internet or any other network can be guaranteed as 100% secure. As a result, while we strive to protect your personal data, we cannot ensure and do not warrant the security of any information you transmit to us, and this information is transmitted at your own risk.
If you have been given log-in details to provide you with access to certain parts of our Site (for example our partner portal), you are responsible for keeping those details confidential.
This is the website of Sophos Limited a company registered in England and Wales under company number 2096520 whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxon, OX14 3YP, United Kingdom and whose VAT registration number is 991 2418 08.
If you want to request any information about your personal data or believe that we are holding incorrect personal data on you, please contact firstname.lastname@example.org. It is possible to obtain a copy of the information that we hold on you. A nominal charge of £10 may be made to cover administrative costs involved.
Notification of changes