Effective Date: July 17, 2024
This Privacy Policy describes how RealtimeBoard, Inc. dba Miro, including its affiliates and subsidiaries (collectively, Miro and also referred to as our, us and we) collects, uses and discloses information from or about an identified or identifiable person, including information that we can associate with an individual person (“Personal Data”), as well as any choices you have with respect to your Personal Data.
This Privacy Policy applies to Miro’s online collaboration tools and platform, including the associated Miro mobile and desktop applications (collectively, the “Services”), miro.com and other Miro websites (collectively, the “Websites”) and other interactions (e.g. customer support, the Miro Community, etc.) you may have with Miro, including the processing of any messages, text, files, images, video or audio recordings, or other content submitted through our Services (collectively, “Customer Content”). This Privacy Policy does not apply to any third-party applications or software that integrate with our Services (“Third-Party Services”), or any other third-party products, services or businesses.
You, the organization (e.g., your employer or another entity or person) controlling the use of the Services (“Organization”) and any associated Customer Content, and any individuals who are granted access to the Services by an Organization (“Users” and, collectively with you and an Organization, “Customer”) are also bound by the the Terms of Service or the Master Cloud Agreement, as applicable, and any product-specific Terms (together, the “Customer Agreement”).
If you have any questions about specific Organization settings and privacy practices, please contact the Customer whose Organization you use. If you have received an invitation to join an Organization but have not yet created an account, you should request assistance from the Customer that sent the invitation.
Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of Personal Data. Whether Miro or Customer is the controller or processor of Personal Data depends on the type of data used and the purposes for such use.
Customer is the controller for all Customer Content that is also Personal Data. As the controller, Customer may, for example, use the Services to grant and remove access to an Organization, assign roles and configure settings, access, modify, export, share and remove information and otherwise apply its policies to the Services. As the processor for Customer Content, Miro processes Customer Content that is Personal Data only on Customer’s request and in accordance with Customer’s written instructions, including the applicable terms in the Customer Agreement, Customer’s use of the Services, and as required by applicable law. For more information about how Customer Content is processed (such as how your Personal Data is processed, the purpose and legal basis for processing, and your data subject rights), we refer you to the relevant Customer’s privacy notice.
Miro is the controller for Services Data as defined in Section 3.
Your Personal Data is provided by you, obtained from third parties, and/or created by us when you use the Services.
Customer Content. Customers routinely submit Customer Content to Miro when using the Services.
Services Data. Miro also collects, generates and/or receives the following types of Personal Data, other than Customer Content, through and in connection with Miro’s provision of the Services (the “Services Data”):
Organization and account information. To create or update an Organization account, you or the relevant Customer (e.g. you or your employer) will supply Miro with an email address, phone number, password, domain and/or similar account details. We may also receive your email address and name from Slack or other organizations with whom our platform has integrations through which you may sign up to use our Services.
Billing information. Customers that purchase a paid version of the Services may provide Miro (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.
Service metadata. When a User interacts with the Services, metadata is generated to provide additional context about their use of the Services. For example, Miro logs the Organizations, boards, people, features, content and links that you view or interact with, as well the types of files shared and any Third-Party Services that you use.
Log data. Like most websites and services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services, recording this information in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, your browser type and settings, the date and time the Services were used, information about browser configuration and plugins, and language preferences.
Device data. Miro collects information about devices accessing the Services, including the type of device, operating system used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Services Data often depends on the type of device used and its settings.
Location data. We receive information from you, the relevant Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer or an IP address received from your browser or device to determine approximate location. Miro may also collect location information from devices in accordance with the consent provided by your device.
Third-party data. Miro may receive data about organizations, industries, lists of companies that are customers, Website visitors, marketing campaigns and other matters relevant to our business from parent corporations, affiliates and subsidiaries, our partners, or other third parties that we use to make our own information more useful. This data may be combined and may include aggregate-level data. For example, information about how well an online marketing or email campaign performed, or to create a business contacts directory.
Marketing and communications Data. Miro may obtain marketing information, including your preferences in receiving marketing from us and our third parties and your communication preferences.
Cookie data. Miro uses a variety of cookies and similar technologies in our Websites and Services to help us collect Services Data. For more details about how we use these technologies, as well as your opt-out opportunities and other options, please see our Cookie Policy.
Email performance data. Miro uses a ‘clear image’ (gif) in email communications in order to track engagement and performance metrics. Much of this data is aggregated and does not contain Personal Data. If you wish to turn off this tracking, you can do so by turning off images in the email itself.
Third-Party Services data. A Customer may choose to use Third-Party Services. If Customer enables Third-Party Services, Miro may access and exchange Customer Content and Services Data with the Third-Party on Customer’s behalf, in accordance with our agreement with the Third-Party Services and any permissions granted by the Customer (including its User(s)).
Contact data. In accordance with the consent provided by your device or other third-party API, we process any contact information that a User chooses to import when using the Services.
Community data. We also receive Services Data when submitted to our Websites or in other ways, such as if you participate in the Miro Community, Miro Academy, or Miroverse. This data is either submitted directly to the Services, or collected during Forums, Programs, contests, activities, events, or educational programs hosted by Miro (or a vendor).
Call data. Our Customer Success team may record video or telephone calls with Customers for the purposes of training and quality assurance. You will be notified of this when a recording is made, and can request that Miro does not record these calls.
Additional data provided to Miro. If you use Miro’s AI features pursuant to our Terms of Service, Services Data also includes data associated with your interaction with these technologies. We also receive Services Data when submitted to our Websites or in other ways, such as when you request support, interact with our social media accounts or otherwise communicate with Miro.
Business data. Miro may receive information about individuals from organizations, industries, Customers, (potential) partners, parent corporations, affiliates and subsidiaries, and our partners for cooperation and communication purposes.
Generally, no one is under a statutory or contractual obligation to provide any Personal Data. However, certain Personal Data is collected automatically and, if some Personal Data, such as Organization setup details, is not provided, we may be unable to provide the Services.
Customer Content. Customer Content that is Personal Data will be used by Miro in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of the Services, and as required by applicable law.
Services Data. Miro uses Services Data for the purposes of our legitimate interests in operating our Services, Websites and business. More specifically, Miro uses Services Data:
To provide, update, maintain and protect our Services, Websites and business. This includes the use of Services Data to support delivery of the Services under a Customer Agreement, including to create or update an Organization, to prevent or address service errors, security or technical issues, and to analyze and monitor usage of the product and its features, trends and other activities.
To provide, update, maintain and otherwise operate the Miro Community, Miro Academy and Miroverse. This includes facilitating collaboration and interaction between Users when engaging with the Miro Community or Miroverse, and/or recording learners’ progress and certifications in Miro Academy.
To develop and improve products and Services, including AI features, provided you have not opted out.
To comply with applicable law, legal process or regulation.
To support and communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Services Data to respond.
To develop, test and provide search, learning and productivity tools and additional features. Miro tries to make the Services as useful as possible. For example, we make Services suggestions based on historical use and predictive models, identify organizational trends and insights, customize your experience of the Services, or to create and develop new features and products.
To conduct market and user research. To improve our Services and troubleshoot new products and features, we may carry out research. For example we may survey Customers (including Admins, Users and other contacts) or third parties about customer satisfaction, user experience, the effectiveness of our marketing campaigns, and their broader interests.
To send emails and other communications.
Transactional: As part of our services, we provide users with certain communications and updates, We may send you service, transactional, technical and other administrative communications, such as communications about your account, our Service offerings, changes to the Services, and important Services-related notices, such as security and fraud notices. We consider these communications as part of our Services to you.
Soft opt-in / Legitimate Interests: In addition, where you are a non-enterprise user or you if you have opted-in as an enterprise user, we sometimes send emails about new product features, recommendations and promotional communications, or other news about Miro. You can opt-out of these messages at any time by using the unsubscribe link included in all of these communications.
For billing, account management and other administrative matters. Miro may need to contact you for invoicing, account management, and similar reasons and we use account data to administer accounts and keep track of billing and payments.
To investigate and help prevent security issues and abuse.
To manage and to contact you with regard to involvement. We may need to manage and contact you with regard to your involvement and participation in the Miro Community (such as the Forums, Programs, Miroverse, contests, activities, events or educational programs hosted by Miro or a vendor).
If information is aggregated or pseudonymized so that it can no longer reasonably be associated with an identified or identifiable natural person, Miro may use it for any business purpose.
Miro will retain Customer Content and Personal Data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of the Services, and as required by applicable law. The deletion of Customer’s Personal Data may result in the deletion and/or pseudonymization of an account and certain associated Services Data. Miro may retain Services Data for as long as necessary for the purposes described in this Privacy Policy.
Further, note that we may keep certain types of Services Data after the deactivation of an account for the period needed for Miro to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements.
This section describes how Miro may share and disclose Personal Data. Customers determine their own policies and practices for the sharing and disclosure of Personal Data. Miro does not control how they or any other third party chooses to share or disclose Personal Data.
Miro may share and disclose Personal Data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and the Customer’s use of the Services and in compliance with applicable law. Where necessary, may only share Personal Data with third parties where we have obtained consent to do so.
We may share Personal Data as follows:
Displaying the Services. When a User submits Customer Content (including Personal Data), it may be displayed to other Users that have access to the same Miro Board. For example, an User’s name and Miro profile may be displayed. Please consult the Help Center for more information on this functionality.
Customer access. Owners, administrators, Users, and other Customer representatives and personnel may be able to access, modify, or restrict access to Personal Data. This may include, for example, your employer using Service features to export logs of your activity or accessing or modifying your profile details..
Subprocessors. We may engage third-parties as sub-processors to process Personal Data. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships to support our Customers. Please see more information on our subprocessors here.
Third-Party Services. Customers may enable Third-Party Services. When enabled, Miro may access and exchange Customer Content with the provider of a Third-Party Service on Customer’s behalf. For example, the AI features may share limited data with Microsoft in connection with the use of the AI features and to monitor compliance with codes of conduct. Third-Party Services are not owned or controlled by Miro and third parties that have been granted access to Personal Data may have their own policies and practices for its collection, use, and sharing. Please check the permissions, privacy settings, and notices for these Third-Party Services or contact the relevant provider with any questions.
Partners. We may share Personal Data with developers, partners and others we engage to create Miro applications and/or integrating Miro features.
Forums. The information you choose to provide in a community forum, including Personal Data, will be publicly available.
Corporate Affiliates. Miro may share Personal Data with its corporate affiliates, parents and/or subsidiaries for business continuity purposes.
During a change to Miro’s business. If Miro engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Miro’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities, some or all Personal Data may be shared or transferred, subject to standard confidentiality arrangements.
To comply with laws. If we receive a request for Personal Data, we may disclose Personal Data if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of Miro, its users, or third parties, including enforcing its contracts or policies, or in connection with investigating and preventing illegal activity, fraud, or security issues, including to prevent death or imminent bodily harm.
Miro takes the security of Personal Data seriously. Miro strives to protect Personal Data from unauthorized access or disclosure.. Miro cannot guarantee that Personal Data stored or sent to Miro will be completely safe and encourages you to use caution. To the maximum extent allowed by applicable law, you agree and acknowledge that Miro will not be liable or responsible if any information about you is intercepted, accessed, and/or used by an unintended recipient.
Our Services may contain links to websites and services operated by third parties, which we do not own or control. This Privacy Statement does not apply to your use of such third party websites, and you should read the relevant privacy notices and terms and conditions before using such websites or services.
Miro does not allow use of our Services and Websites by anyone younger than 16 years old (“Minor”). If you learn that a Minor has unlawfully provided us with Personal Data, please contact us and we will take steps to delete this information.
By using our Services and Websites, you represent and warrant that you are not a Minor as of the date of first access to our Services and Websites.
If we share your Personal Data with our Miro group company(ies) or third parties located outside the European Economic Area or the United Kingdom, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your Personal Data, such as by entering into the Standard Contractual Clauses adopted by the European Commission (article 46(2)(c) GDPR), which are available here, and which were also adopted by the UK Government under section 119A of the UK Data Protection Act 2018.
Where we are the controller of your Personal Data, and subject to the privacy rights granted to you under the law in your country, you have the following rights:
Access. You can request access to your Personal Data, subject to applicable law.
Portability. You can request a copy of your Personal Data that we process on the basis of consent or in order to perform a contract with you.
Erasure. You can request to erase your Personal Data that we are not required to process for compliance with law or in connection with legal claims. Where we rely on an exemption, we will inform you about this.
Correction. You can request that we correct inaccurate information we maintain about you.
Objection and restriction of processing. You can use the "unsubscribe" link in our marketing communications to stop us from using your information for that direct marketing. You can object to our processing of your Personal Data where we rely on legitimate interests or perform a task in the public interest. We will consider several factors when assessing an objection, including reasonable expectations of Miro customers, the benefits and risks to you, us, other users or other available means to achieve the same purpose that may be less invasive and do not require disproportionate effort. Unless we find that we have compelling legitimate grounds for this processing, which are not outweighed by your interests or fundamental rights and freedoms, or the processing is needed for legal reasons, your objection will be upheld and we will cease processing your Personal Data.
Withdrawal of consent. Where you have provided your consent to our processing of your Personal Data, you can withdraw your consent at any time. If you do withdraw consent, it will not affect the lawfulness of what we have done with your Personal Data before you withdrew consent.
Exercising Your Rights. To exercise your rights or ask us any questions pertaining to your rights, please contact us using the details set out in Section 14 below. Please note that we may request you to provide us with additional information in order to confirm your identity and ensure that you are entitled to access the relevant personal information.
You also have the right to lodge a complaint to a data protection authority. For more information, please contact your local data protection authority.
Categories of Personal Data we receive. We may collect, or process on behalf of our customers, the categories of Personal Data described in Section 3 above.
Sources. For information regarding the categories of sources from which we collect your Personal Data, please see Sections 3 and 4 above.
Our business and commercial purposes for use. For information regarding the specific purposes for which we collect and disclose your Personal Data, please see Sections 4 and 7 above.
Retention. Information about our retention of Personal Data is described in Section 5 above. We only use and disclose sensitive personal information for the purposes specified in applicable law or otherwise with your consent.
Depending on where you live in the United States, you may have the following rights:
Access. You can request access to the Personal Data we hold about you, how we use it and who we share it with.
Deletion. You can request that we delete any of your Personal Data that we collected from you and retained, subject to certain exceptions.
Correction. You can request that we correct inaccurate information we maintain about you.
Opt out of “Sale” and “Sharing”. While we do not sell your Personal Data in the conventional sense, we may use advertising and analytics services that are intended to analyze your use of our Services based on information obtained from cookies or other trackers, including for delivering advertising to you (such as interest-based, targeted, or cross-context behavioral advertising). You can opt out of the use of cookies and other trackers on our website by setting your preferences on our homepage. You will need to set your preferences from each device and each web browser from which you wish to opt out. This feature uses a cookie to remember your preference, so if you clear all cookies from your browser, you will need to re-select your preferred settings. We do not have actual knowledge that we “sell” or “share” the personal information of consumers under 16 years of age.
Portability. You can request that we transfer to you a copy of the Personal Data we hold about you.
Withdrawal of Consent. Where we rely on consent to process your Personal Data, you may have the right to withdraw this consent at any time. If you confirm that you wish to withdraw your consent, we will delete your information from our systems. However, you acknowledge this may limit our ability to provide you with the best possible products and services.
Exercising Your Rights. You can exercise your rights as described above by contacting us as set out in Section 14. Only you, or a person or business entity registered with the California Secretary of State that you authorize to act on your behalf (an “authorized agent”), may make the requests set forth above. You may also make a request on behalf of your minor child. The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide adequate information that we can reasonably verify that you are the person about whom we collected the personal information (including information that enables us to verify the identifying information we possibly maintain about you).
We will respond to consumer requests in a reasonably timely manner. If we require extra time to respond, we will inform you of the reason and extension period in writing. In order to protect the security of your Personal Data, we will not honor a request if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. The method used to verify your identity will depend on the type, sensitivity and value of the information, including the risk of harm to you posed by any authorized access or deletion. Generally speaking, verification will be performed by matching the identifying information provided by you to the Personal Data that we already have.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request (and will not be made more than twice in a 12-month period). If we cannot comply with a request, or cannot fully comply with a request, the response we provide will also explain the reasons we cannot comply.
Non-Discrimination. We will not discriminate against you for exercising any of your rights based on California data protection laws, including, but not limited to, by:
Denying you goods or services.
Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Providing you a different level or quality of goods or services.
Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Miro may change this Privacy Policy from time to time. Laws, regulations, and industry standards evolve, which may make those changes necessary, or we may make changes to our services or business. We will post the changes to this page and we encourage you to review our Privacy Policy to stay informed. If we make material changes to the Privacy Policy, Miro will take commercially reasonable efforts to notify you and take additional steps as required by law. If you disagree with the changes to this Privacy Policy, you should deactivate your account and discontinue your use of the Services. Contact the relevant Customer if you wish to request the removal of your Personal Data under their control.
If you have questions about this Privacy Policy, or regarding your Personal Data, you can contact us online, or by mail at:
RealtimeBoard, Inc. dba Miro ATTN: Privacy Team 201 Spear St Suite 1100 94105 San Francisco, USA
Our representative in the European Union:
RealtimeBoard BV ATTN: Data Protection Team Singel 542 1017 AZ Amsterdam, NL