Contents
- Who We Are and Scope of this Privacy Policy
- Data Categories and Collection Purposes
- How We Use Your Data
- Analytics, Cookies and Other Web Site Technologies
- Recipients
- Data Retention
- Security
- Changes
- Children’s Privacy
- Your Rights and Contacting LastPass
Who We Are and Scope of this Privacy Policy
LastPass provides password and identity management solutions (“Services”) that are easy to manage and effortless to use for individuals and businesses..
This Privacy Policy addresses visits to our webpages and use of our Services outside the United States. The applicable LastPass entity identified here shall serve as the data controller (or equivalent construct under applicable law), which is referred to herein as “LastPass” or by the pronouns that refer to it.
In this Privacy Policy we explain what personal data we collect from visitors to LastPass websites and users of LastPass Services. We also explain how we use such personal data and how the owners of that data can exercise their available data privacy rights. Our affiliates in other countries have posted additional privacy notices with different scopes as required by law or as we believe appropriate for transparency purposes. They are available here.
Data Categories and Collection Purposes
At LastPass, we strive to limit the types and categories of personal data that is collected from, and processed on behalf of, our users to include only information which is necessary to achieve the purpose(s) for which it was collected. We do not use personal data for additional purpose(s) which are incompatible with their initial collection. In other words, we have measures and policies in place designed to ensure that we only collect and process information from our users that we believe is necessary to provide them with a world-class Service.
When you visit our websites and/or use our Services, you may provide us with the following categories of personal data:
- Customer Account and Registration Data is data you provide us when you create your LastPass account, request support or technical assistance, or register for events, webinars, whitepapers and surveys. This typically includes, but is not necessarily limited to, first and last name and a valid email address. This data is needed to provide the Services to you and maintain and support your account. The legal basis for processing this data is to comply with applicable legal obligations, perform our contractual obligations under the applicable Services agreement, and for our legitimate interest to do business with you, your employer, and/or your business.
- Master Password. Except for those LastPass Business accounts which utilize alternative authentication methods (e.g., Single Sign On or “SSO”) to access LastPass, users must create a “Master Password,” which is used to access their LastPass account and generate the encryption keys that secure the information they store within the LastPass Service (“Customer Content” as further defined below). LastPass’ zero-knowledge security model is designed to ensure that we do not and cannot know our users’ Master Passwords or the data used to generate SSO encryption keys, and therefore LastPass cannot view or access sensitive vault data. It is highly recommended that users create a unique and suitably long Master Password and enable Multi-Factor or Two-Factor Authentication to help ensure their LastPass vault, and the Customer Content stored within, remains secure.
- Billing Data. LastPass utilizes third-party service providers to process payments made through our websites. Where required for regulatory, legal, tax compliance, or customer support purposes, we may store partial payment information (such as the expiration date and last four digits of your credit card). Information that is maintained by our payment processors such as name, address, and phone number associated with a payment method may be accessed only by select individuals with role-based access, in a secure manner, under appropriate confidentiality obligations, and a legitimate need to know. LastPass does not maintain your complete payment information or otherwise receive or store any billing data where payment is made for a LastPass subscription through the Google Play or Apple App Store.
- Service Data (including Session, Location and Usage data). When you visit our websites and use our Services, we receive data that you or others voluntarily enter, as well as data automatically logged by the website or Service (for example, hardware, equipment and devices used, IP addresses, location, language settings, operating system used, unique device identifiers and other diagnostic, troubleshooting, crash, and bug reporting data). We utilize this information to provide, operate, support the use of, and improve our Services. We collect location-based data for the purpose of providing, operating, and supporting the service and for fraud prevention and security monitoring. (You can disable location data transmission on mobile devices at any time by disabling location services from the settings menu on your device.) The legal basis for processing this data is to comply with our legal obligations, perform our contractual obligations under the applicable Services agreement, and under our legitimate interest to do business with you, your employer or business, or customers that use our Services to communicate with you and your business.
- Customer Content means any files, documents, or similar data that we maintain on your or your users’ behalf, as well as any other information you or your users may upload or input (e.g., manually or via optional functionality such as password save and fill) to your LastPass account in connection with the Services. As part of LastPass’ enhanced security model, vault data is encrypted using our zero-knowledge architecture. Vault data is encrypted on your device (i.e., client-side) using your Master Password that LastPass does not maintain or know. Vault data is always encrypted when transmitted and decryption occurs client-side, using your Master Password or 3 SSO credentials. Because LastPass does not maintain your Master Password, it cannot access your sensitive vault contents in a decrypted manner; only you can decrypt your stored information. Please see our Technical and Organizational Measures (“TOMs”) documentation to learn more about how LastPass protects your data through its zero knowledge architecture.
- Feedback. Where you elect to provide us with feedback, which may include, but is not limited to, reviews posted online (e.g., in social channels or review sites) and on app stores, as well as suggestions made in connection with surveys, market research, etc., we may use any applicable personal data provided with the feedback to respond to you. We may also use feedback as described in the Terms of Service.
We also process your personal data to comply with applicable laws, including those of the European Union (“EU”) and/or individual European Economic Area (“EEA”) Member States, and such compliance obligations are the legal basis for such processing.
Where applicable, if we are permitted to place cookies or contact you for marketing purposes, we may also use your personal data for purposes that are consistent and/or compatible with the original purpose of collection under the same legal basis or where your consent has been given. We may also contact you under a legitimate business purpose (e.g., if you are a current subscriber to one of our Services). Note that you may easily and at any time opt-out of receiving further marketing from LastPass by visiting https://lp.lastpass.com/LastPass-Unsubscribe.html.
How We Use Your Data
LastPass may use and share customer account and registration data, service data, billing data, and feedback with our third-party service providers to: (a) provide and operate our Services; (b) address and respond to service, security, and customer support needs; (c) detect, prevent, or otherwise address fraud, security, unlawful, or technical issues; (d) comply with applicable laws and administrative requests, protect our rights and the rights of others, assert and defend against claims; (e) fulfill contracts; (f) maintain and improve our Services; (g) provide analysis or valuable insights to our customers and users; (h) assess the needs of your business to determine and promote other LastPass products which we believe may be helpful to you; (i) provide product updates and marketing communications; (j) conduct research and analysis for business planning and product development; and (k) display content based upon your interests. To the extent permitted by law, we may also combine, correct and enrich personal data we receive from you with data about you from other sources, including publicly available databases or from third parties to update, expand and analyze our records, identify new prospects for marketing, and provide products and Services that may be of interest to you.
We will only use Customer Content to provide and operate the LastPass Services and on the basis of your documented instructions, which are deemed given for the following purposes: (i) 4 processing in accordance with the applicable Services agreement, terms of service and order form(s), if any; (ii) processing initiated by you when using the Services; and (iii) processing to comply with other documented reasonable instructions provided by you (e.g., via email) where such instructions are consistent with the terms of the Agreement. To the extent LastPass has control over your information, we shall act on your behalf and endeavor at all times to act in a reasonable and ethical manner.
Analytics, Cookies and Other Web Site Technologies
We strive to ensure that LastPass continues to provide a world-class user experience and service. To help us achieve this goal, we use first- and third-party cookies and other web analytics tools which help us better understand how our visitors use and interact with our websites, desktop tools, and mobile applications; what webpages, features and functions they like and dislike; and where they may have run into problems which need to be addressed.
Google Analytics
We use Google Analytics as described in “How Google uses data when you use our partners' sites or apps.” You can prevent your data from being used by Google Analytics on our websites by installing the Google Analytics opt-out browser add-on here. For enhanced privacy purposes, we also employ IP address masking, a technique used to truncate IP addresses which may be collected by Google Analytics and store them in an abbreviated form to prevent them from being traced back to individual users. Portions of our website may also use Google Analytics for Display Advertisers, including DoubleClick or Dynamic Remarketing, which provide interest-based ads based on your visit to this or other websites. You can use Ads Settings to manage the Google ads you see and opt-out of interest-based ads. You can similarly exercise your rights with respect to use of this data as described in the “Exercising Choice” section below.
Social Media
Many of our websites include optional social media integrations and/or features, such as Facebook, Google, and Twitter “share” buttons. If you use these features they may collect your IP address, information about which page you are visiting, and may set a cookie to enable the feature to function properly. You can exercise your rights with respect to the use of this data as specified in the “Exercising Choice” section below. These services, integrations, and/or features will also authenticate your identity and provide you the option to share certain personal data with us such as your name and email address to pre-populate our sign-up form or provide feedback. Your interactions with these features are governed by the privacy policy of the third-party company providing them.
Exercising Choice
We provide more information about the types and categories of cookies we use, as well as the ability to exercise certain choices and control over the cookies and other web analytics tools we deploy via LastPass’ Cookie Consent Manager (available via the “Cookie Preferences” hyperlink at the bottom of this page) as well as the following options:
- If you do not wish to have the information these technologies collect used for the purpose of serving you targeted ads, you may opt-out here.
- The Help Menu on the menu bar of most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, and how to disable cookies altogether
- To manage Flash Cookies, please click here.
- Access – inquire whether and what kind of personal data we hold about you and how it is processed, and to access or request copies of such personal data;
- Revision/Rectification – request the correction or supplementation of personal data about you that is inaccurate, incomplete or out-of-date in light of the purposes underlying the processing (please visit here to review resources on correction/supplementation, including revision of save-and-fill credentials directly within your LastPass vault);
- Erasure/Deletion – request erasure of personal data that is no longer necessary for the purposes underlying the processing (to facilitate account deletion for LastPass Free users, please visit here), processed based on withdrawn consent, processed for legitimate interests that, in the context of your objection, do not prove to be compelling or necessary for the establishment, exercise or defense of legal claims, or processed in noncompliance with applicable legal requirements;
- Restriction – request that we restrict the processing of personal data in certain situations where you feel the processing is inappropriate;
- Objection – object, on grounds relating to your particular situation or where your personal data is used for direct marketing purposes, to the processing of personal data for legitimate interests; and
- Portability/Export – request portability of personal data that you have provided to us (for information about how to export your account and vault, please visit here), where the processing of such personal data is based on consent or a contract with you and is carried out by automated means.
You can still view our websites if you choose to set your browser to refuse all cookies; however, you will need to keep certain cookies enabled in order to establish a LastPass account or to install the Services.
As part of our commitment to your privacy and security, LastPass includes additional controls to disable anonymous error reporting and app attribution (for mobile) within the Service itself. Learn more by visiting here and here.
Recipients
We apply access controls within our organization to limit the recipients of personal data to only those individuals who have a "need to know" in order to perform those functions which are needed to help us operate our business and provide our services. For example, our customer support and technical staff, billing and finance personnel, and representatives of our legal and audit departments may have access to certain categories of personal data as necessary for the legitimate purposes of our data processing.
We may share your personal data: (a) with our affiliated companies and subsidiaries which are directly or indirectly owned by, or under common control with, LastPass; (b) at your direction, with separate, specific notice to you, or under appropriate lawful basis (e.g., with your consent); (c) with third-party service providers who are under appropriate confidentiality and data privacy obligations (only for the purposes identified in Section 3, “How We Use Your Data”); (d) in connection with a merger, divestiture, acquisition, reorganization, restructuring, financing transaction or sale of all or substantially all of the assets pertaining to a product or business line; and (e) as required by law or administrative order, to assert claims or rights, or to defend against legal claims.
To the extent LastPass uses its affiliates or any third-party providers in the provision and operation of its Services and processing of any Customer Content, including any personal data therein, it discloses those parties in the applicable Affiliate and/or Sub-processor Disclosure in the LastPass Trust & Privacy Center.
Data Retention
We keep your personal data in a form which permits identification for no longer than needed for the business purposes for which it was collected or as necessary to comply with our legal and regulatory obligations, to resolve disputes, and enforce our agreements. Personal data processed in the context of a contract with you will be retained by us for the term of the contract and for a reasonable time afterwards as might be required to determine and settle any related claims. Where our processing of your personal data is based on legitimate interests or compliance with legal obligations, it will be deleted as soon as the applicable underlying purpose has expired. Personal data processed based on your consent will be deleted if and when you withdraw such consent. Unless requested sooner or a shorter retention period is defined, the applicable Technical and Organizational Measures (“TOMs”) documentation shall designate when your account, including your LastPass vault and the Customer Content therein, will be designated/marked for deletion or anonymization. For specific details on data retention periods for your account, as well as the information LastPass maintains on your behalf, consult Section 5 of the TOMs documentation located at the LastPass Trust & Privacy Center.
Cross Border Data Transfers
As a global organization, we may transfer, process, or access your personal data through affiliated LastPass entities and unaffiliated third-party service providers, including in countries where we operate and countries outside of the EU/EEA in which the level of data protection may not be deemed to be as high as within the EU/EEA. In all cases, LastPass complies with applicable legal requirements and provides an adequate level of data protection, regardless of where the data is being transferred or accessed. For transfers of personal data outside of your jurisdiction, LastPass shall, as applicable, utilize lawful transfer mechanisms where available and required by applicable law, including, but not limited to the European Union’s Standard Contractual Clauses (inclusive of any variations recognized in other regions of the world).
LastPass’ privacy practices, described in this Privacy Policy, comply with the APEC Cross Border Privacy Rules System (“CBPR”). The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found here.
LastPass’ privacy practices, described in this Privacy Policy, comply with the APEC Privacy Recognition for Processors (“PRP”) system. The APEC PRP system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC PRP framework can be found here.
To learn more about how LastPass protects personal data, review and execute appropriate data processing addendums (where relevant), or review locations where LastPass may process your Customer Content (including any personal data therein) through its affiliated companies or thirdparty subprocessors, please visit the LastPass Trust and Privacy Center.
Security and Availability
LastPass has implemented a comprehensive information security program which includes robust technical and organizational measures designed to safeguard and protect the personal, identifiable, and/or confidential information we collect or that you share with us. LastPass has been assessed by, and received validation from, independent third-party auditors against recognized security standards and controls, including SOC2 Type II, SOC3 Type II, and BSI C5.
Additionally, LastPass uses a combination of geographically distributed hosting providers and/or facilities to help ensure sufficient service availability, uptime, and redundancy needed to provide our global user base with the best possible experience
To learn about LastPass’ security, availability, and privacy measures and/or certifications, please visit the LastPass Trust & Privacy Center.
Changes
We may update this Privacy Policy from time to time to reflect changes to our personal data handling practices or respond to new legal requirements. If we make any material changes to this Privacy Policy that have a substantive and adverse impact on your privacy, we will provide notice on this website and additionally notify you by email (sent to the e-mail address specified in your account) for your approval prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.
Children’s Privacy
LastPass’ webpages and Services are intended for general audiences; we do not seek to gather personal data from or about children or minors (i.e., not the age of majority). If you inform us or we otherwise become aware that we have unintentionally received personal data from a minor, we will delete this information from our records.
Your Rights and Contacting LastPass
Your Rights
Subject to conditions specified by applicable law, where applicable, you have the following rights with respect to the processing of your personal data, to: .
Contact and Request Information
In case of concerns, you also have the right to lodge a complaint with a supervisory authority having appropriate jurisdiction. If you have questions or requests relating to our privacy practices or this Privacy Policy, or if you would like to exercise any of the above-mentioned rights of access, rectification, erasure, restriction, objection or data portability, you may contact us at https://support.lastpass.com/, which allows you to make a request online or through a phone call, and/or via e-mail at privacy@lastpass.com. We will strive to respond to your request as soon as practicable, but in any regard within the time frames required under applicable law [e.g., thirty (30) days under GDPR].
Please note that where LastPass receives personal data about you from a separate, unaffiliated entity that engaged in the initial collection for purposes other than collection on LastPass’ behalf, you may need to make certain requests directly with that entity. We will honor and support any instructions they provide us with respect to your personal data.
If you wish to no longer receive marketing communications from us, you can opt-out of marketing by clicking on the unsubscribe link on any marketing email you receive, or at https://lp.lastpass.com/LastPass-Unsubscribe.html.
If you have any other questions about this policy please contact the LastPass Privacy Team, call us at the applicable support number here, or write to us via postal mail at: Attn: Legal and Privacy Team, LastPass Ireland Limited, The Reflector, 10 Hanover Quay, Dublin 2, D02R573, Republic of Ireland. To reach our Global Customer Support department, you may contact us here.
You can additionally contact our Data Protection and/or Privacy Officer(s) by sending an e-mail to privacy@lastpass.com or via postal address at the address above. Please mark the envelope, “Data Protection Officer, c/o LastPass Legal.”
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, you may also contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.