General Privacy Policy

Who We Are

Avast (collectively “we”) is part of Gen™ - a global company with a family of trusted consumer brands.

The Controller of your personal data is Avast Software s.r.o., which has its principal place of business at 1737/1A Pikrtova, Prague 4, Czech Republic, 140 00.

If you live in the United Kingdom, Avast’s representative established in the UK is NortonLifeLock UK Limited, 100 New Bridge Street, London, England EC4V 6JA.

Privacy Policy Contents

This Privacy Policy describes how we handle and protect your personal data and the choices available to you. Additional information on our personal data practices may be provided in product settings, contractual terms, or notices provided prior to or at the time of data collection.

Please refer to our Products Policy describing specifics of personal data processing within our products and services.

This Privacy Policy is intended for you if you are a user of our products and services. If you are a business partner, the privacy notice that applies to you is located here: Business partner policy.

Personal Data We Process

Personal data refers to any information relating to an identified or identifiable individual (“Personal Data”).

We may collect data or ask you to provide certain data when you visit our websites and use our products and services. The sources from which we collect Personal Data include:

• Data collected directly from you or your device relating to an identified or identifiable natural person (“Data Subject”), and may include direct identifiers such as name, postal and email address, phone number, and online or indirect identifiers such as login account, login password, marketing preferences, social media account, and/or IP address;
• If we link other data with your Personal Data, we will treat that linked data as Personal Data; and
• We may also collect Personal Data from trusted third-party sources such as service providers, distributors, resellers, app stores, contact centers, and engage third parties such as marketing, survey, analytics or software suppliers to collect Personal Data to assist us.

We do not process special categories of personal data, such as data concerning health, race, ethnicity or political opinions, or deduce in any way this type of information from data we collect within our products.

We organize the Personal Data we process into these basic categories: Billing Data, Account Data, Product Data and Communications Data.

Billing Data

The below described billing process applies to all customers who have purchased our products and/or standalone features through our Gen eStore. This information is used to bill those customers for their services and products.

Our parent company, Gen Digital Inc., will act as a controller with respect to processing of the Billing Data.

Billing data includes your name, email address, billing address, your phone number, payment information (depending on method can include Credit/Debit Card Information or PayPal account), National ID (regional specific, if outside the United States), VAT/Tax ID (regional specific, if outside the United States) and device fingerprint ID.

Relevant subsets of Billing data are kept for 7 years for the purpose of complying with our legal obligations (particularly in the finance and tax area) and defending our rights.

In certain cases, you purchase our products and services from a trusted third-party service provider, reseller, or app store. In those circumstances, your Billing Data is processed by the relevant third party and we only receive a subset of this data to keep proper business records. In particular, we only have a masked credit/debit card number, not your full payment details.

Account Data

Account Data includes information to set up and customize an account, such as your name, email address and username, and information connected with our services, such as product, license and device information. For some of our products or some of their functions creating an account is necessary. Account Data is also used for customer management and engagement, revenue generation, and evaluation and optimization of operational, sales and business processes.

An account is also necessary for some features of our Forum. In the Forum profile, you have the option to provide additional information within your account such as your name, email address, social media information, birth date, gender, instant messaging information, or website name and address, your physical location, and an avatar or personalized picture. We use Discourse for hosting the Forum.

To register with us or to be able to log in later on our pages or in our products, we offer you, in addition to our own procedure, the option to do this via the services Facebook Connect, Google, and Apple ID. For this purpose, we will redirect you to a page of the corresponding provider. Data from the provider (email, platform ID, optionally name) is then provided to create the account.

The customer account remains valid until you actively delete it in the user administration section of the account. You can also contact our support or DPO in case you would like to delete your account.

Product Data

Product Data includes two sub-categories:

• Device Data includes information about the operating system; hardware; city/country location of device; IP address, device error logs; browser; network; applications running on the device, including the Avast products; and
• Service Data includes information about product usage and events relating to use of our product by you. This information includes security data (samples and detection details such as information concerning URLs of websites, texts, emails and files used for malware and scam protection), usage statistics (activation, crashes, scans, errors), information related to product licenses, support-related data and our internal identifiers associated with our services (e.g. installation ID, internal hardware ID).

These sub-categories differ for each product and service. If you want more detail about Device and Service Data we process on a product basis, please refer to our Products Policy.

Communications Data
If you contact us directly, request information or provide reviews and feedback, we collect personal data about you, including identifiers, such as your name, email address, phone number, the contents of any message or attachments that you may send or communicate to us, and any other information you choose to provide. We may retain and review audio, electronic, visual, or similar information, such as audio call and chat recordings and/or the contents of the messages as required/permitted by law and our recording and information management policies. We will also collect identifiers from you, such as your email address and phone number, when you sign up to receive product updates, offers, and other promotional information or messages from us. When we send you emails, we may track whether you open them to learn how to deliver a better customer experience and improve our services.

Why We Process Your Personal Data

We use your Personal Data for the following purposes and on the following grounds:

On the basis of fulfilling our contract with you or entering into a contract with you on your request, in order to:
 

• To process purchase of our products or services from us, our partners or our trusted third- party service providers’ online stores and to bill for products and features purchased;
• To provision the download, activation, and performance of the product or service;
• To keep our products or services up-to-date, safe and free of errors, including implementation of new product features and versions;
• To verify your identity and entitlement to paid products or services, when you contact us for support or access our services;
• To process your purchase transactions;
• To send necessary service and transactional messages and update you on the status of your orders and licences;
• To manage your subscriptions and user accounts; and
• To provide you with technical and customer support. This may include remote access to your device to better solve the issue. For this purpose, we will process the information from your product and device (e.g. crash reports, usage data), your contact details as well as other information you will provide to us (e.g. description of the issue).

On the basis of your consent, in order to:

• To subscribe you to a newsletter or the Avast forum;
• To enable the provision of third-party ads in product messages;
• To enable the provision of personalized ads in support of certain free products.

We will always ask for your consent before any processing which requires it and we will provide you with necessary information through our Consent Policy or otherwise as applicable.

In order to fulfill legal obligations, we process your Personal Data when it is necessary for compliance with our legal obligations. We may be obligated to, for instance, keep and process records for tax purposes, accounting, other obligations such as court or other legal orders, anti-money laundering, sanction checks and other necessary disclosures.

On the basis of our legitimate interest we will use your Personal Data to:

• To communicate about possible security, privacy and performance improvements and products that supplement or improve our purchased products and to optimize the content and delivery of this type of communication;
• To evaluate and to improve the performance and quality of our products, services and websites, develop new products, train our employees and to understand usage trends, and analyze user acquisitions, conversions and campaigns;
• To maintain and develop threat intelligence resources, in particular to be able to detect and block malware. We analyze samples of files and URLs we detect on your devices or websites you visit, and we use them to maintain our malware and privacy protection at the highest level possible. We may also share threat intelligence with other security companies and experts to improve our threat detection models;
• To make our systems and applications more secure including to prevent or stop an attack on our computer systems or networks;
  
• To record our phone conversation when you contact our tech support by phone to better respond to your requests.
• To maintain the effective performance of our business by ensuring necessary internal administrative and commercial processes (e.g. finances, audit, business intelligence, legal & compliance, fraud check, information security etc.); and
• To establish, exercise, or defend our legal rights.
   

Your interests are a key part of our decision-making process and have been considered in all of the above-mentioned processing activities. We believe we have achieved a fair balance between privacy and business operations. In any case, you have the right to object, on grounds relating to your particular situation, to those processing operations. For more details, please see section Your Privacy Rights.

The list is, however, not exhaustive and depending on the business and legal developments we may process data for other compatible purposes as applicable in accordance with relevant privacy regulations.

Balancing Legitimate Interests

Before relying on our legitimate interests, we balanced them against your interests and made sure they are compelling enough. With respect to the purposes below we consider necessary to explain what our interests are in detail.

Security and Threat Intelligence

We process Personal Data to support network and information security efforts. In line with EU data protection law, organizations have a recognized legitimate interest in collecting and processing Personal Data in a proportionate manner for the purposes of ensuring network and information security. This covers the ability of our networks or of our information systems to resist events, attacks or unlawful or malicious actions that could compromise the availability, authenticity, integrity and confidentiality of the data we store or transmit, or the security of the related services offered by, or accessible via those networks and systems.

Moreover, as a member of the security community, we also cooperate with other players across the security landscape, in particular by exchanging threat intelligence resources, and aid in research and development of new security solutions.

The Personal Data we process for the purpose listed above includes, without limitation, network traffic data related to cyber-threats such as:
 

• Sender email addresses (e.g., of sources of SPAM);
• Recipient email addresses (e.g., of victims of targeted email cyberattacks including phishing);
• Email header detail including addresses and intermediary systems (e.g., as configured by cybercriminals sending malicious email);
• Filenames and execution paths (e.g., of malicious or potentially harmful executable files);
• Samples (e.g., of malicious or potentially harmful executable files);
• Samples behavior (e.g., of malicious or potentially harmful files);
• URLs and associated page titles (e.g., of web pages broadcasting or hosting malicious or otherwise harmful content); and/or
• IP addresses (e.g., of web servers and connected devices involved in the generation, distribution, conveyance, hosting, caching or other storage of cyber-threats such as malicious or otherwise harmful content).

Product messaging - In-product and Email Messages

We have a legitimate interest in messaging our users about possible security, privacy and performance improvements and about products that supplement or improve the products already purchased. We can also message our customers with information and offers relating to already purchased products (e.g. time-limited offers).

If you are our customer, we feel a responsibility to inform you about security and utility improvements and possible problems to your device and software, and provide you with effective solutions relevant to these problems. Because of this, we have a legitimate interest to optimize the content and delivery of this type of communication to you so that you are likely to find them relevant and non-intrusive at the same time. We use certain limited subsets of Billing Data, Account Data, and Product Data to deliver this communication.

Product and business improvement

We have a legitimate interest to use necessary Personal Data to understand user conversions, acquisitions and campaign performance through various distribution channels, and users’ download, activation and interactions with our products. For example, we want to know how many users clicked on our offers, or purchased our product after seeing one of our ads. These analytics help us improve functionality, effectiveness, security and reliability of our products and business activities as well as helping us to develop new products. This processing includes using third-party tools. Please refer to our Products Policy for the list of third-party tools used for the specific products and services.

How We Process Your Personal Data

We do our best to disconnect or remove all direct identifiers from the Personal Data that we use:
 

• For free versions, this disconnection or removal of identifiers begins when the products and services are initially activated. For paid users we keep Billing Data in a separate database and minimize its use for anything other than handling payments and our own analytical and financial management activities.
• For both paid and free versions, we continuously monitor for, minimize, disconnect and remove all direct identifiers during the normal performance of the products and services.

Processing of IP Addresses

Your IP address is collected at the time at which your product or service is being provided for the purpose of downloading and installing the products, product authorization, fraud and malware detection and for the purpose of facilitating our billing process. In particular for delivering the content in accordance with your device(s) settings, determining appropriate language settings for communicating with you, troubleshooting issues, and generating appropriate diagnostics reports.

Please refer to our Products Policy for specific use of IP address by our products and services.

Personalization

We use relevant Billing Data, Account Data, Product Data and your answers from surveys, in which you can participate, to personalize our offers, communication and product recommendations.

We do not take any decisions solely based on algorithms, including profiling, that would significantly affect you.

How We Disclose Your Personal Data

We only disclose your Personal Data as described below, within our group of companies, with our partners, with service providers that process data on our behalf and with public authorities, when required by applicable law. Processing is only undertaken for the purposes described in this Privacy Policy and the relevant Products Policy sections. If we disclose your Personal Data, we require its recipients to comply with adequate privacy and confidentiality requirements, and security standards.

We do not sell your personal data to third parties. We do not use or disclose sensitive personal information for the purpose of inferring characteristics about a consumer. Data obtained through short code programs will not be shared with any third-parties for their marketing reasons/purposes.

Payment processors

In certain cases we may use a third party payment processor to take payment from you. These third parties are properly regulated and authorized to handle your payment information and are prohibited from using your Personal Data for any other purposes other than arranging these services for us. However, they are independent controllers of your data with their own responsibility.

Your Billing Data is processed by the payment processor from whom you purchased the product. Your data is processed according to the relevant processor’s terms and privacy policy.

Service Providers

We may use contractors and service providers to process your Personal Data for the purposes described in this Privacy Policy and Products Policy. We contractually require service providers to keep data secure and confidential.

Such service providers may include contact centers, professional consultants (including to defend or to exercise our rights), and marketing/survey/analytics/software suppliers. We may also connect with business partners to provide specific services to you such as identity restoration. To provide identity restoration services, we may share, at your direction, your data with financial institutions, financial services companies, and other authorized third parties.

We use Salesforce to provide us the CRM platform (see their privacy information including appropriate safeguards for cross-border transfers).

We use Qualtrics as the provider of the experience management platform used to collect and evaluate customer feedback and insights (see their Privacy statement including appropriate safeguards for cross-border transfers.

We use Civilized Discourse Construction Kit, Inc., for hosting our Forum (see their privacy information).

Sometimes these service providers, for example- our distributors, resellers, and app store partners- will be independent controllers of your data and their terms and conditions, end user license agreements (“EULA”) and privacy statements will apply to such relationships.

No data is shared for cross-contextual advertising and no data is sold to these third parties.

Advertising Companies

To be able to offer our products and services for free, we serve third-party ads in our products for mobile devices. To enable the ad, we embed a software development kit (“SDK”) provided by an advertising company into the product. The SDK collects Personal Data in order to personalize ads for you.

Only few of our free products serve third-party ads. You will be asked for consent during the installation process of any such product. For further information, including the exact scope of processed Personal Data and names of relevant products, please refer to our Consent Policy which includes the list of our advertising partners and their privacy policy.

We may share limited categories of personal data (online identifiers and product-related information used to display appropriate ads) with these third parties for cross-contextual advertising purposes, as defined under California and other applicable U.S. state laws. “Cross-contextual advertising” in this context means advertisements we believe will be more interesting and useful to you based on your data, including data related to the use of our Services. Third parties may use the data we’ve shared with them to show you personalized ads. No data is sold to these third parties.

Distributors, Resellers

We may provide your Personal Data to our partners for the purpose of distribution, sale or management of our products. Our partners may communicate with you about Avast products or services. In addition, you purchase our products directly from our distributor, a reseller, or an app store. Because your relationship in these cases is with that distributor, reseller or an app store, such third party will also process your Personal Data.

No data is shared for cross-contextual advertising and no data is sold to these third parties.

Cookies Providers

Our websites use cookies to personalize your experience on our sites, to tell us which parts of our websites people have visited, to help us measure the effectiveness of campaigns, and to give us insights into user interactions and user base as a whole so we can improve our communications and products. While using our websites, you will be asked to authorize the collection and use of data by cookies according to the terms of the Cookie Policy.

Analytics Tool Providers

We use analytical tools, including third-party analytical tools, which allow us, among other things, to identify potential performance or security issues with our products, to improve their stability and function, to understand how you use our products, and websites so that we can optimize and improve your user experience, and to evaluate and improve our campaigns. We use Service and Device data for analytics.

While we generally prefer using our own analytical tools, we sometimes need to partner with other parties, which have developed and provide us with their own tools and expertise. Below, we list these partners and tools and their privacy policies.

Not all of our products use all of these third-party analytics tools. Analytics tools that we use for diagnosing your product are necessary for service provision. You will find relevant tools listed under each product in our Products Policy.

No data is shared for cross-contextual advertising and no data is sold to these third parties.

Login via third-party providers

No data is shared for cross-contextual advertising and no data is sold to these third parties.

Public Authorities

In certain instances, it may be necessary for us to disclose your Personal Data to public authorities or as otherwise required by applicable law. No Personal Data will be disclosed to any public authority except in response to:
 

• A subpoena, warrant or other process issued by a court or other public authority of competent jurisdiction;
• A legal process having the same consequence as a court-issued request for data, in that if we were to refuse to provide such data, it would be in breach of local law, and it or its officers, executives or employees would be subject to liability for failing to honor such legal process;
• Where such disclosure is necessary for us to enforce our legal rights pursuant to applicable law; or
• A request for data with the purpose of identifying and/or preventing credit card fraud.

No data is shared for cross-contextual advertising and no data is sold to these third parties.

Mergers, Acquisitions and Corporate Restructurings

Like any other consumer brand, we too go through our own cycle of growth, expansion, streamlining and optimization. Our business decisions and market developments therefore affect our structure. As a result of such transactions, and for maintaining a continued relationship with you, we may transfer your Personal Data to a related affiliate.

If we are involved in a reorganization, merger, acquisition or sale of our assets, your Personal Data may be transferred as part of that transaction. We will notify you of any such deal and outline your choices in that event, when applicable. Information including personal data relating to our business may be shared with other parties in order to evaluate and conclude the transaction. This would also be the case if we were required by law to make such changes.

Cross-Border Transfers of Personal Data among Group Entities and to Third-Party Vendors

We are a global business that provides products and services all around the world. In order to reach all of our users and provide all of them with our software, we operate on an infrastructure that spans the globe. The servers that are part of this infrastructure may therefore be located in a country different than the one where you live. In some instances, these may be countries outside of the European Economic Area (“EEA”). Regardless, we provide the same GDPR-level of protection to all Personal Data processed.

The intra-group transfers within the Gen Digital Group are covered by the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the transfer of personal information from the European Economic Area (EEA), the United Kingdom, and Switzerland to the United States. Check here to access the Gen Digital Inc. Data Privacy Framework Notice.

At the same time, when we transfer Personal Data originating from the EEA outside of the EEA or cooperate with a third-party vendor located outside the EEA, we always make sure to put in place appropriate safeguards, such as Standard Contractual Clauses or adequacy decisions adopted by the European Commission, to ensure that your data remains safe and secure at all times and that your rights are protected.

Situations where we transfer Personal Data outside of the EEA include: allowing access to Personal Data stored in the Google Cloud Platform to Google personnel located outside the EEA, the provisioning of our products and services and third-party services related to it, the processing of transactions and of your payment details, and the delivery of support services. Further, an outside-EEA transfer may also occur in case of a merger, acquisition or a restructuring, where the acquirer is located outside of the EEA (see the Mergers, Acquisitions and Restructurings section).

How We Protect Your Personal Data

We maintain administrative, technical, and physical safeguards for the protection of your Personal Data.

Administrative Safeguards

Access to the Personal Data of our users is limited to authorized personnel who have a legitimate need to know based on their job descriptions, for example, employees who provide technical support to end users, or who service user accounts. In the case of third-party contractors who process personal information on our behalf, similar requirements are imposed. These third parties are contractually bound by confidentiality clauses, even when they leave the company. Where an individual employee no longer requires access, that individual's credentials are revoked.

Technical Safeguards

We store your personal information in our database using the protections described above. In addition, we utilize technical safeguards such as up-to-date firewall protection for an additional layer of security, high-quality anti-virus software, and we regularly update our virus definitions. Third parties who we hire to provide services and who have access to our users' data are required to adopt appropriate measures if we deem them necessary.

Physical Safeguards

Access to user information in our database by Internet requires using an encrypted VPN, except for email which requires user authentication. Third-party contractors who process Personal Data on our behalf agree to provide reasonable physical safeguards.

Proportionality

We strive to collect no more Personal Data from you than is required by the purpose for which we collect it. This, in turn, helps reduce the total risk of harm should data loss or a breach in security occur: the less data we collect, the smaller the overall risk.

Children’s Privacy

Our websites, services and products are not directed to, nor do we knowingly collect data from, minors (as defined by applicable law) except where explicitly described otherwise in the privacy notices of services designed specifically for purposes, such as to assist you by providing child online protection features. In such cases, we will only collect and process Personal Data related to any child under the age specified in particular jurisdictions, which you choose to disclose to us or otherwise instruct us to collect and process. Details about this processing is included in our Products Policy. Please refer to the specific applicable notices for this information.

How Long We Store Your Personal Data

We keep your personal data as long as we need it to provide you with our services, to comply with legal obligations or protect our or other’s legitimate interests (such as to prevent harm; investigate possible violations of our terms or policies; promote safety, security and integrity; protect ourselves, including our rights, property or products; to defend against legal claims, complaints, litigation or regulatory proceedings). Often, there are different reasons to keep a specific piece of information that overlap and influence each other.

When determining the specific retention period, we take into account various criteria, such as the type of service provided to you, the nature of our relationship with you, and mandatory retention periods provided by law and the relevant statute of limitations. 

More specifically, we will hold your Personal Data on our systems for the following periods:
 

• For Billing Data, for as long as we have a legal obligation or for our legitimate interests in establishing legal rights and keeping proper business records. So, if we take payments from you, we archive limited payment information related to transactions for the time specified in law (depending on the relevant jurisdiction) to maintain proper business records, meet our audit obligations, detect and prevent fraud and to protect our legal rights in case there are disputes. We also keep your Billing data to enable the renewal of your subscriptions;
• For Account Data, for as long as you maintain your account;
• For Product Data, only as long as necessary for the purposes of a particular product or service. Where possible, we use rolling deletion periods which means we regularly delete collected data in the given periods starting from the collection of that respective data. The rolling deletion periods for Product Data are not longer than six years. You can find specific rolling deletion periods for each of our products and their purposes in our Products Policy. Please note that when you uninstall our product, processing for service provision, in-product messaging, analytics and third-party ads, if applicable, dependent on the installed product shall cease. After the uninstallation, we will continue to process your Product Data for statistical purposes for up to six years. We have measures in place to ensure compliance with data protection laws, including pseudonymization.
• For Communications Data, for as long as necessary to resolve your requests or questions and maintain evidence of such communications to defend our rights and protect our interests. If you receive product updates, offers, and other promotional information or messages, we process the data until you unsubscribe.

Storage of Your Personal Data

We are a global company that processes personal data in many countries. As part of our business, we may transfer data across the Gen group, its subsidiaries and affiliates, and third-party vendors of Gen located worldwide, including Avast, Avira, LifeLock and Norton entities. Data can be located in places where we offer our products or have our offices, infrastructure or data centers, including Europe and the United States.

Transfers of your personal data within Gen Digital and its subsidiaries and affiliates are done pursuant to our intra-group data transfer agreement including EU Commission-approved standard contractual clauses (SCCs). At the same time, intra-group transfers within the Gen Digital Group are covered by the EU-U.S. Data Privacy Framework, UK Extension to the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the transfer of personal information from the European Economic Area (EEA), the United Kingdom, and Switzerland to the United States. Click here to access the Gen Digital Inc. Data Privacy Framework Notice.

Before we transfer data to third parties, we look at the risks to the data associated with such transfer. We require third parties to maintain the same protections over your data that we provide directly. For data originating from the European Economic Area we rely on standard contractual clauses (SCCs), where applicable, to ensure your data rights are protected. To request a copy of the SCCs, please contact us here.

Situations where we transfer Personal Data outside of the EEA may also include: allowing access to personal data stored in the cloud (such as Microsoft Azure, Amazon Web Services and Google Cloud Platform) to personnel located outside the EEA, the provisioning of our products and services and third-party services related to it, the processing of transactions and of your payment details, and the delivery of support services.

In all cases, we follow generally accepted standards and security measures to protect the personal data submitted to us, both during transmission and once we receive it.

Your Privacy Rights

There are a variety of data protection laws around the globe that provide privacy rights to you as our customer. You can make certain choices about how your data is used by us by adjusting the privacy settings of the relevant product. 

Besides that, you have the following rights (depending on the region):

• Right to information - Right to receive information about the processing of your Personal Data, prior to processing as well as during the processing, upon request. In particular, but not limited to:
  • categories of personal data collected, sold, or disclosed by us;
  • purposes for which categories of personal data are collected or sold;
  • categories of sources from which we collect personal data;
  • categories of third parties to whom we disclosed or sold personal data; and
  • specific pieces of personal data we have collected about you during the past twelve months.
• Right of access - You have the right to receive a copy of your Personal Data
• Right to rectification - You have the right to seek correction of inaccurate Personal Data.
• Right to erasure ("right to be forgotten") - You have the right to erasure of your Personal Data, but only in specific cases stipulated by law, e.g., if there is no legally recognized title on our part for further processing of your Personal Data (incl. protection of our legitimate interests and rights).
• Right to data portability - The right to receive Personal Data which you have provided and is being processed on the basis of consent or where it is necessary for the purpose of conclusion and performance of a contract, in machine-readable format. This right applies exclusively to Personal Data where processing is carried out by automated means.
• Right to object - Applies to cases of processing carried out in legitimate interest. You have the right to object to such processing, on grounds relating to your particular situation, and we are required to assess the processing in order to ensure compliance with all legally binding rules and applicable regulations. In case of direct marketing, we shall cease processing Personal Data for such purposes after the objection.
• Right to withdraw consent - In the case of processing based on your consent, as specified in our Consent Policy, you can withdraw your consent at any time by using the same method (if technically possible) you used to provide it to us (the exact method will be described in more detail with each consent when you provide it). The withdrawal of consent shall not affect the lawfulness of processing based on your consent before its withdrawal.
• Right to restriction of processing - You have the right to restriction of processing of your Personal Data if: You are contesting the accuracy of your Personal Data, for a period enabling us to verify the accuracy of your Personal Data; the processing is unlawful and you oppose the erasure of the Personal Data and request the restriction of its use instead; we no longer need the Personal Data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or you have objected to processing of your Personal Data, and there is a pending verification whether our legitimate grounds override your interests.
• Right to Equal Service - Right not to receive discriminatory treatment for the exercise of your privacy rights, subject to certain limitations.
• Right to contact a supervisory authority or court - You may contact and lodge a complaint with the supervisory authority – The Office for Personal Data Protection (Czech: Úřad na ochranu osobních údajů – www.uoou.cz) or your local authority or a relevant court.
   

You can submit your requests relating to your data subject rights and access to documentation relating to appropriate safeguards for cross-border transfers through our online form: https://support.avast.com/en-us/contact/dsr.

The fulfillment of data subject rights listed above will depend on the category of Personal Data and the processing activity. In all cases, we strive to fulfill your request.

We will action your request within one month of receiving a request from you concerning any one of your rights as a Data Subject. When we are faced with an unusually large number of requests or particularly complicated requests, the time limit may be extended to a maximum of another two months. If we fail to meet these deadlines, we would, of course, prefer that you contact us to resolve the situation informally.

Where requests we receive are unfounded or excessive, in particular because they repeat, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.

Identification of an individual may not be necessary for some of our free products to be delivered to you or to function. In this case, we do not and will not maintain, acquire or process additional information solely in order to identify the users of our free products and services.

Consistent with our privacy by design, privacy by default and data minimization practices, we may not be able to identify you in connection with Product Data relating to specific free products and services. However, you can go directly to your product settings and explore the available privacy options.

Your Choices in products

You can make certain choices about how your data is used by us by adjusting the privacy settings of the relevant product. Please check your product settings to set your privacy preferences there.

Non-EU Jurisdictions

Residents of the Russian Federation

We collect and process Personal Data relating to those within the territory of the Russian Federation in strict compliance with the applicable laws of the Russian Federation.

We collect and process Personal Data (including sharing it with third parties) only upon the consent of the respective individuals, unless otherwise is permitted by the laws of the Russian Federation. You will be asked to grant your consent by ticking the respective box / or clicking “I accept” button or through similar mechanism prior to having access to the site, and/or when submitting or sharing the Personal Data we may request. We collect and use your Personal Data only in the context of the purposes indicated in the consent to processing of Personal Data.

We (directly or through third-party contractors specifically authorized by us) collect, record, systematize, accumulate, store, update and amend, extract Personal Data of the Russian Federation citizens with the use of databases located in the territory of the Russian Federation except as otherwise permitted by Russian data protection legislation. We may process Personal Data of Russian citizens using databases located outside of the Russian Federation subject to compliance with Russian data protection legislation.

You are entitled by law to receive information related to processing your Personal Data. To exercise this right, you have to submit a request to the contacts listed below in the Contact Us section.

You have the right to revoke the consent at any time by sending us an e-mail at the contacts listed below in the Contact Us section. Once we receive the revocation notice from you we will stop processing and destroy your Personal Data, except as necessary to provision the contract or service to you and ensure compliance with the data protection laws. However, once you have revoked your consent, we may not be able to provide to you the products and services you request, and may not be able to ensure proper work of our products.

We do not transfer your Personal Data to the countries that under Russian law are not deemed to provide adequate protection to the individuals’ rights in the area of data privacy.

We do not offer, sell or otherwise make available our products or services that have access to, collect and process (or allow us to do the same) Personal Data of third parties in the Russian Federation without the consent of such third parties.

If any provisions of this Policy contradict the provisions of this section, the provisions of this section shall prevail.

California Privacy Rights

This section applies to you if you are a resident of the state of California, and it explains your privacy rights, as well as other information about our treatment of California residents’ information.

Information Notice

Categories of collected personal information

You can see all categories of collected personal information listed in the section Personal Data We Process.

Sources from which the personal information is collected

You can find information about the sources of data in the section Personal Data We Process.

Business or commercial purpose for collecting or selling personal information

You can find all purposes of processing your personal information listed in the section Why We Process Your Personal Data.

Categories of third parties with whom the business shares personal information

You can find all categories of recipients of personal information listed in the section How We Disclose Your Personal Data. Avast does not sell (as such term is defined in the California Consumer Privacy Act/California Privacy Rights Act) your personal information we collect without providing a right to opt out or your direct permission. See more about your right to opt out of sale below.

How long we store your personal information

You can find more information on our retention practices in the section How Long We Store Your Personal Data above.

Other information

Our products are not targeted at minors under 16 years of age. We therefore have no knowledge of any sale of data concerning them.

We use and disclose sensitive personal information only for purposes expressly permitted under California law and therefore the ‘right to limit’ does not apply to our processing.

Your Rights

You have the right to:

• know what personal information is being collected about you and how it’s processed;
• know whether your personal information is sold, shared or disclosed, and to whom;
• request that we correct the personal information we have about you that is incorrect;
• say no to the sale or sharing of your personal information (right to opt out);
• limit the use and disclosure of your sensitive personal information;
• request deletion of your personal information; information will be deleted if no exception applies (including our right to defend our lawful interests);
• access your personal information; specific information shall be provided in a portable and, to the extent technically feasible, in a readily useable format but not more than twice in a 12-month period;
• non-retailation, including the right to receive equal service and price, even if you exercise your privacy rights (also known as the right to non-discrimination).
   

Under California law, we are required to disclose to consumers the following information upon written request: (1) the categories of personal information that we have disclosed to third parties within the prior year, if that information was subsequently used for the third parties’ direct marketing purposes; and (2) the names and addresses of all such third parties to whom such personal information was disclosed for the third parties’ direct marketing purposes.

We hereby disclose that we have not disclosed any such personal information regarding any California resident during the one-year period prior to the effective date of this Privacy Policy with the exception of:
 

• third-party advertising cookies stated in our Cookie Policy.
• third-party ads in products listed in our Consent Policy.

Right To Opt Out Of Sale or Sharing

If your personal information is subject to a sale or sharing, you have the right to opt out from that sale or sharing.

For more information on how you can opt out of the sale or sharing of your personal information, please consult our “Do Not Sell or Share My Personal Information” page.

Request Submission

You can submit your requests using contacts indicated below in the Contact Us section. We will verify your request by matching your email address and, if necessary, other information you provide in your request against the email address and other information we have in our system. You can also designate an authorized agent to exercise these rights on your behalf. We may require that you provide the authorized agent with written permission to act on your behalf and that the authorized agent verify their identity directly with us.

Contact Us

To exercise any of your rights, or if you have any other questions or complaints about our use of your Personal Data and its privacy, write our Privacy Team through the most convenient channel below:

You can submit your privacy requests through our online form: https://support.avast.com/en-us/contact/dsr.

We are registered as Avast Software s.r.o. and our registered address is Pikrtova 1737/1a, 140 00 Prague 4, Nusle, Postal Code 140 00, Czech Republic. You can always reach us by email at dpo@avast.com. Please type “PRIVACY REQUEST” in the message line of your email so we can have the appropriate member of the Avast team respond.

If you prefer, you can send paper mail to AVAST Software s.r.o., Pikrtova 1737/1a, 140 00 Prague 4, Czech Republic. Be sure to write "Attention: PRIVACY" in the address so we know where to direct your correspondence.

If you live in the United Kingdom, you can contact our representative NortonLiIfeLock UK Limited, 100 New Bridge Street, London, England EC4V 6JA.

Data Protection Officer

As required under the GDPR, we have a data protection officer (DPO) to monitor our compliance with the GDPR, provide advice where requested and cooperate with supervisory authorities. You can contact our data protection officer via dpo@avast.com.

Or by mail:
Pembroke Privacy Ltd
4 Upper Pembroke Street
Dublin 2
Ireland DO2VN24

Changes to this Privacy Policy

We reserve the right to revise or modify this Privacy Policy. In addition, we may update this Privacy Policy to reflect changes to our data practices. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account), product notification or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

Updates