Sophos Group Privacy Policy

This document was last updated on 10 July 2015.


This is the privacy policy of Sophos Limited and its subsidiaries.

We are committed to safeguarding the privacy of your personal data. Please read the following privacy policy to understand how we collect and use your personal data, for example when you contact us, visit one of our websites (each a “Site”), apply for a job, or use our products and services.

Whenever you give us personal data, you are consenting to its collection and use in accordance with this privacy policy.

What personal data do we collect?

We may collect personal data such as your name, company position, address, telephone number, mobile number, fax number, email address, credit card details, age, IP address, and account usernames.

How do you use my personal data?

If you provide personal data to us, we will collect that information and use it for the purposes for which you have provided it and in accordance with this privacy policy.

Browsing our Site

Every time you connect to the Site, we store a log of your visit that shows the unique number your machine uses when it is connected to the Internet - its IP address. This tells us what your machine has looked at, whether the page request was successful or not and which browser your machine used to view the pages. This data is used for statistical purposes as well as to help customize the user experience as you browse the Site and subsequently interact with Sophos and our partners. This helps us to understand which areas of the Site are of particular interest, which pages are not being requested, and how many people are visiting the Site in total. It also helps us and our partners to determine which products and services may be of specific interest to you. We may attempt to contact you through these details if necessary, including, without limitation, when you are using the wrong paths to access the Site or are breaching restrictions on the use of the Site. We may also use this information to block IP addresses where there is a breach of the Terms and Conditions for use of the Site.


A cookie is a piece of text that gets entered into the memory of your browser by a website, allowing the website to store information on your machine and later retrieve it. Some of our pages use cookies so that we can distinguish you from other users and better serve you when you return to the Site. Cookies also enable us to track and target the interests of our users to enhance the onsite experience. For information about the cookies that we use, please refer to the Cookie Information page on the relevant Site.

Job applicants

If you are making a job application or inquiry, you may provide us with a copy of your CV or other relevant information. We may use this information for the purpose of considering your application or inquiry. Except when you explicitly request otherwise, we may keep this information on file for future reference.

Partner portal

Our resellers and distributors may visit our partner portal Site. We may use the customer and prospect information provided on that Site in order to provide the products and services.

Account management

If you obtain products or services from us, we may use your contact details and (where applicable) payment information for the purposes of (i) providing training, customer support and account management, (ii) order processing and billing, (iii) verifying your usage of the products and services in accordance with the terms and conditions of your agreement with us, (iv) carrying out end user compliance checks for export control purposes; (v) issuing license expiry, renewal and other related notices, and (vi) maintaining our company accounts and records.

Product and service related data

If you purchase or use our products or services, we may collect the following types of information: (i) product type, product version, product features and operating systems being used; (ii) processing times; (iii) customer identification code and company name, and (iv) IP address of the machine which returns the above listed information.

We may use such information for purposes which include but are not limited to:

  • verifying your credentials and compliance with any usage restrictions,
  • carrying out end user compliance checks for export control purposes,
  • providing the products/services and any associated maintenance and technical support,
  • providing virus, incident and other alerts, and information about product upgrades, updates, renewals and product lifecycle changes,
  • providing maintenance and technical support,
  • providing information about product upgrades, updates and renewals,
  • generating logs, statistics and reports on service usage, service performance and malware infection,
  • evaluating, developing and enhancing products, services, and our infrastructure,
  • planning development roadmaps and product lifecycle strategies.

Some products and services also collect or generate an ID code for each machine which reports back to us. This ID code is only used to enable us to distinguish between unique machines so that (i) we do not duplicate reports from the same source; and (ii) we can determine the number of unique machines that are using the products and services. If this ID code is collected together with other information which could identify an individual when combined, we anonymize the ID code to prevent this from occurring.

Certain products and services may include features that collect additional personal data for other purposes, as described below. For detailed information, please also refer to the applicable product or service description.

Sophos Mobile Security

When an application is downloaded on a device or the user initiates a check of all installed applications on an Android device, Sophos Mobile Security sends queries to our cloud infrastructure in order to validate the reputation of the applications. Each query contains a fingerprint generated from the Android application (the APK file) under investigation.

A unique device identifier is also generated locally on each mobile device during installation of Sophos Mobile Security. We do not associate this identifier with any personal data. Periodically the product sends statistical feedback packets to us, including the unique device identifier and service performance information.

Sophos Firewall Products

You acknowledge and agree that the Sophos Firewall and Firewall Manager Products may provide us with the below information, which will be used for the purpose of improving product stability, prioritizing feature refinements and enhancing protection.

    (a). Configuration and Usage Data, including without limitation (i) device model, firmware and license information, such as model, hardware version, vendor, firmware version, and country; (ii) aggregated product usage information, such as product features in use (on/off, count), amount of configured objects, policies, managed devices, groups, templates (iii) CPU, memory, and disk usage information; (iv) product errors; and

    (b). Application Usage and Threat Data, including without limitation (i) IPS alerts; (ii) virus detected and the URL where the virus was found; (iii) spam; (iv) ATP threats; and (v) applications used and unclassified applications.

Information about unclassified applications is used to improve and enlarge network visibility and the application control library.

    (c). Monitoring Threshold Data, includes (i) monitoring threshold values per model; and (ii) alert threshold criteria and values per model.

Monitoring Threshold data is used to improve the default threshold settings and alert criteria included within the product across models.

Configuration and Usage Data does not include user-specific information or personal data and cannot be disabled. Application Usage and Threat Data, and Monitoring Threshold Data collection is enabled by default, but you may disable collection of such data within the product at any time.

Sophos Mobile Control

When Sophos Mobile Control is installed or updated, you may receive Apple push notifications, Google cloud to device messaging for Android, SMS text messages, and other remote communications.

Sophos Mobile Control will store a list of users and mobile devices, and will record any applications downloaded or modifications made to such devices. Your administrator can also configure Sophos Mobile Control to track the geographic location of mobile devices and to lock or wipe a mobile device that has been lost or stolen.

Sophos Cloud Products

We may directly and remotely communicate with your protected devices for the purposes of, without limitation (i) applying policy and configuration changes to such devices; and (ii) extracting usage information, service performance information, and infection logs. Such communications may include but not be limited to SMS text messages and other push notifications.

You acknowledge and agree that it may be necessary for us to collect and process certain information relating to individuals in order to provide the Cloud products, and that such information may include proprietary, confidential and/or personal data, including without limitation (i) names, email addresses, telephone numbers and other contact details; (ii) account usernames; (iii) IP addresses; (iv) usage information; (v) lists of all software, files, paths and applications installed on the device, (vi) details of changes or attempted changes to executable files, pathnames and scripts, (vii) logs of websites visited; (viii) infection logs; and (ix) files suspected of being infected with malware.

Certain Cloud products may also (at your sole option) enable you to configure the product to (i) track and log the geographic location of devices; (ii) block access to devices; (iii) delete the content of devices; (iv) store text and email messages that were sent and/or received by devices. Such information may also be stored on the device itself and accordingly we recommend that you encrypt your devices.

You warrant that you have obtained all necessary permissions and provided the necessary notifications to share the above information with us for the purposes described. You also acknowledge and agree that it may be necessary under applicable law to inform and/or obtain consent from individuals before you intercept, access, monitor, log, store, transfer, export, block access to, and/or delete their communications. You are solely responsible for compliance with such laws.

Sophos Cloud Portal

If you select “Enable Partner Access” in the Settings tab of your Sophos Cloud portal, your designated third party partner or service provider will be able to access and administer your Sophos Cloud services on your behalf. If you do not enable such access, your designated third party partner or service provider will only see high-level reporting information such as Sophos Cloud services purchased and current usage information. You may revoke such access at any time by changing the permissions in the Settings tab.

Market research

If you participate in surveys, we may use your personal data to carry out market research. This research is conducted for our internal business and training purposes and will improve our understanding of our users’ demographics, interests and behaviour. This research is compiled and analysed on an aggregated basis and therefore does not individually identify any user.

Marketing and promotions

We (or our resellers or other selected third parties acting on our behalf) may contact you from time to time in order to provide you with information about products and services that may be of interest to you. All marketing emails that we send to you will follow the email guidelines described below. You have the right to ask us not to process your personal data for marketing purposes, but if you do so, we may need to share your contact information with third parties for the limited purpose of ensuring that you do not receive marketing communications from them on our behalf.

Email communications

We adhere to the following guidelines in relation to our email communications:

  • emails will clearly identify us as the sender,
  • emails will include our physical postal address,
  • emails sent to you for marketing purposes will include an option to unsubscribe from future email messages,
  • you may unsubscribe from all mailing lists, with the exception of any emails regarding legal notices, invoicing, product updates, upgrades or license renewals,
  • any third parties who send emails on our behalf will be required to comply with legislative requirements on unsolicited emails and the use of personal data.

We send emails from a number of different domains in both plain text and HTML email formats. Emails are usually sent using sender email addresses at:

Emails offering software downloads or free product trials will usually link to web pages on or If you receive an email which claims to come from us but does not use these domains, or if you are suspicious that an email may not be approved by us, then please send a copy of the email to so we can investigate.

We have published best practice guidelines to help internet users learn how to avoid phishing emails at

With whom might we share your personal data?

As a global company, we have international sites and users all over the world. When you give us personal data, that data may be used, processed or stored anywhere in the world, including countries outside the EEA.

We may also pass your personal data to suppliers, service providers, subcontractors, agents, distributors, resellers and other partners, some of whom may be located outside the EEA, in order to provide you with the information, products and services that you requested or otherwise for the purposes described in this privacy policy.

In the event that we receive requests from government departments, agencies or other official bodies, we will only disclose your information if and to the extent that we believe we are legally required to do so (for example upon receipt of a court order, warrant, subpoena or equivalent).

Except as set out above, we will not disclose your personal data save where we need to do so in order to enforce our rights.

Whenever we share personal data, we take all reasonable steps to ensure that it is treated securely and in accordance with this privacy policy.


This privacy policy applies to personal data collected by us. If an email or Site contains links to a third party site, please be aware that we are not responsible for the content or privacy practices of such site. We encourage our users to be aware when they leave our Site, and to read the privacy policy of other sites that collect personal data.


We endeavour to hold all personal data securely in accordance with our internal security procedures and applicable law.

Unfortunately, no data transmission over the Internet or any other network can be guaranteed as 100% secure. As a result, while we strive to protect your personal data, we cannot ensure and do not warrant the security of any information you transmit to us, and this information is transmitted at your own risk.

If you have been given log-in details to provide you with access to certain parts of our Site (for example our partner portal), you are responsible for keeping those details confidential.


This is the website of Sophos Limited a company registered in England and Wales under company number 2096520 whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxon, OX14 3YP, United Kingdom and whose VAT registration number is 991 2418 08.

If you want to request any information about your personal data or believe that we are holding incorrect personal data on you, please contact It is possible to obtain a copy of the information that we hold on you. A nominal charge of £10 may be made to cover administrative costs involved.

Notification of changes

This privacy policy was last updated on 10 July 2015. We reserve the right to amend or vary this policy at any time and the revised policy will apply from the date posted on the Site. You accept that by doing this, we have provided you with sufficient notice of the amendment or variation.