Elastic Product Privacy Statement

Effective Date: January 3, 2025

This Product Privacy Statement (the "Product Privacy Statement" or "Statement") explains how Elasticsearch, Inc. and its subsidiaries and affiliates ("Elastic," "we", "us" and "our") collect, use and share information, including information relating to an identified or identifiable natural person ("Personal Data" or "Personal Information") from our customers or users ("you" and "your") when you use or demo our Elastic products such as Elastic Self-Managed Software, Elastic Cloud Services, or any other services maintained by Elastic for use by our users, such as Support Services (together the "Products").

Scope & Responsibilities
Information We Collect from the Products
How We Use Information We Collect from the Products
How We Share Information We Collect from the Products
How We Use Cookies and Automatic Data Collection Tools
Legal Basis for Processing Personal Data We Collect from the Products
User Privacy Rights and Choices
Security
International Data Transfers
Data Privacy Framework
California Privacy Rights
Other Information
How to Contact Us


Scope & Responsibilities

This Statement applies only to the information we collect automatically in connection with your use of the Products and for which we determine the means and purpose of processing (i.e., as a "data controller").

Our legal basis for processing such information in the European Economic Area (EEA), the United Kingdom (UK), or Switzerland is our legitimate interest in providing, improving, maintaining, and securing our Products, providing support for users of our Products, and operating our business efficiently and appropriately.

This Product Privacy Statement does not cover:

  • Personal Data processed by Elastic according to our General Privacy Statement, such as Personal Data collected through: our websites, such as www.elastic.co, website (together the "Sites"); product feedback or surveys; the sales and provisioning process; and in connection with Elastic events, sales and marketing activities. Please see our General Privacy Statement for details on how this information is processed.
  • Personal Data processed by Elastic according to our Applicant Privacy Statement when an individual applies for a role with Elastic through our Site or otherwise.
  • Personal Data processed by Elastic as a Processor. This Product Privacy Statement does not apply to Personal Data processed by Elastic as a Processor or Service Provider (as applicable), which is subject to the terms of the applicable customer agreement.
  • Organizational Users. When you use the Products on behalf of an organization (e.g., your employer), your use is administered and provisioned by your organization per its own policies regarding the use and protection of Personal Data. If you have questions about how your data is being used by your organization, please refer to your organization's privacy policy and direct your inquiries to your organization's system administrator.


Information We Collect from the Products

When you use our Products, Elastic automatically collects information about how you are using the Products ("Product Usage Data"). While most Product Usage Data does not contain Personal Data, it may include:

  • Products and System Data: this is information about the Products you are using and about the systems and related environment from which you access the Products. This may include Product type and version, deployment ID, license information, installed plug-ins, UUID, operating system, hardware version, MAC address, IP address, network connection type, browser type, device type, and third-party systems used in connection with the Products.
  • Cluster Data: this is information about your Elasticsearch Cluster. This may include statistics related to uptime, node count, node types, indexes, shards, and segments.
  • Performance Data: this is information about the performance of the Products. This may include metrics on the performance and scale of the Products and response times.
  • Feature Usage Data: this is information about how you are using the Products. This may include details about which features are used and user interface metrics, search queries entered, functions and commands executed, number of searches, and types of searches.
  • Security Data: for security Products, this is information about how the security software is operating. This may include information on sensor performance, sources, networks, and destinations of threats (which may include IP addresses, URLs, and DNS queries), configuration and detection events, and security event data.


How We Use Information We Collect from the Products

Elastic uses the information automatically collected from the Products to support our customers and improve the Products generally; more detailed information is provided below. Elastic strives to collect only the minimum amount of information needed to achieve these purposes.

How we use Product Usage Data

We use Product Usage Data to fulfill our contractual obligations in providing the Products to you and to fulfill our legitimate interest in supporting and enhancing the Products. For example, we may use Product Usage Data for:

  • Product improvement: Elastic may use Product Usage Data to analyze the use of the Products, prioritize testing and development of new features and functionality, improve our support responses, improve forecasting, make pricing and packaging decisions, identify, understand, and anticipate performance issues and the factors that affect them.
  • Supporting our customers and users: Elastic may use Product Usage Data to provide proactive or reactive support to our customers and users (such as guidance to help optimize usage), identify product improvement opportunities, prioritize future product features, personalize your experience and suggest other Elastic Products, solicit feedback, and increase engagement and adoption of our features (e.g., by providing in product suggestions).
  • Conducting account administration: Elastic may use Product Usage Data to provide the Products and for account management, such as managing product downloads, updates, and fixes, and sending other administrative or account-related communications, including release notes and billing information.
  • Enhancing security: Elastic may use Product Usage Data to help monitor, prevent and detect fraud, enhance security, monitor and verify identity or access, and combat spam or other malware or security risks.
  • Maintaining the security of our Products: Elastic may use Product Usage Data to maintain the security and operational integrity of the Elastic IT infrastructure and our Products, including for security monitoring and incident management, managing the performance and stability of the Products, addressing technical issues, and operate our back-up disaster recovery plans and policies.
  • Confirming your compliance with contractual obligations: Elastic may use Product Usage Data to confirm your compliance with contractual and other terms of use obligations in connection with the relevant Product.
  • Business to business marketing and sales: Where permitted by law, Elastic may use Product Usage Data to market additional Products to our customers and to inform sales discussions.
  • Complying with legal requirements: Elastic may use Product Usage Data to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting, and dispute resolution. Elastic may be legally required to access Personal Data contained in Product Usage Data, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect or defend our rights or property of Elastic or users of the Products, protect the safety of others, to investigate fraud, or respond to government requests, including in response to lawful requests by public and government authorities outside a user's country of residence, including to meet national security or law enforcement requirements.
  • Other legitimate business purposes: Elastic may use Product Usage Data when it is necessary for other legitimate purposes.


How We Share Information We Collect from the Products

We take care to ensure that the Product Usage Data, including any Personal Data that may be contained therein, is accessed internally only by individuals that require access to perform their tasks and duties, and externally only by service providers with a legitimate purpose for accessing it. We contractually require such service providers to safeguard any Personal Data they may receive from us. We will not sell your Personal Data or allow a third party to use your Personal Data for its own commercial purpose. See the Section titled How We Share the Information in our General Privacy Statement for more information.


How We Use Cookies and Automatic Data Collection Tools

Depending on the Product you use, we may use cookies or other tracking technologies in furtherance of the purposes described in this Statement. The types of technology we use may change over time. Some of these technologies are essential for the provision of the Products, such as account access and authentication; others assist with the performance and functionality of the services, such as recognizing returning users or remembering preferences; and others enable us to analyze and customize the Products.


Legal Basis for Processing Personal Data We Collect from the Products

Our legal basis for processing Personal Data contained in information we collect from the Products in the EEA, the UK, or Switzerland is our legitimate interest in providing, supporting, improving, maintaining, and securing our Products and operating our business efficiently and appropriately.


User Privacy Rights and Choices

We only collect a limited amount of Personal Data to fulfill the purposes outlined in this Statement. Depending on where you live, you may have certain rights with respect to your Personal Data such as:

  • Access: To request and obtain a copy of your Personal Data that is held by Elastic;
  • Rectification: To request the correction of your Personal Data held by Elastic in order to update any incomplete or inaccurate information;
  • Deletion: To request to have your Personal Data held by Elastic deleted;
  • Restrict Processing: To request that we restrict the processing of your Personal Data where:
    • You dispute the accuracy of the data;
    • The processing is unlawful, but you do not wish to have it delete; or
    • Elastic no longer needs the data, but you need it to assert, exercise, or defend legal claims.
  • Objection: To object to the further processing of your Personal Data at any time;
  • Portability: To request to receive the Personal Data you have provided to Elastic in a structured, commonly used, machine-readable format; and
  • Withdrawal of consent: To request to withdraw consent at any time, where previously given.

If your Personal Data is to be used for a new purpose that is materially different from that for which it was originally collected or subsequently authorized, or is disclosed to a non-agent third party in a manner that is not specified in this Statement, we will provide you with an opportunity to choose whether to have your Personal Data used or disclosed in such a manner. Requests opt-out of such uses or disclosures should be sent to us as specified in the "How to Contact Us" section of this Statement below.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Elastic also commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. Individuals located in the EU, UK, or Switzerland with inquiries or complaints regarding our handling of their Personal Data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Elastic by submitting this form. Please identify yourself and specify your request. We use commercially reasonable efforts to delete your Personal Data as required, but retain records necessary to comply with a governmental authority or applicable federal, state, or local law. Where legally permitted, we may decline to process requests that are unreasonably repetitive or systematic, require disproportionate technical effort, or jeopardize the privacy of others.

You may also have the right to complain to a data protection authority about our collection and use of your Personal Data. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Elastic commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner's Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. If Elastic itself, or through cooperation with the relevant authority, does not resolve your complaint, you may have the possibility to engage in binding arbitration through the Data Privacy Framework Panel. For more information on this option, please see Annex I of the Data Privacy Framework Principles.


Security

Elastic is committed to protecting the security of your Personal Data. We use appropriate technical and organizational measures to protect your Personal Data from loss, misuse, and unauthorized access, alteration, or disclosure. Despite these measures, Elastic cannot eliminate every potential security risk associated with Personal Data and mistakes, and security breaches may happen.


International Data Transfers

Elastic operates globally, which means Personal Data may be transferred to countries other than the country in which the individual resides. These countries may have data protection laws that are different from the laws of the individual's country of residence.

Specifically, if you reside in the EEA, the UK, or Switzerland your Personal Data may be processed outside those places, in countries, including the US, which have different data protection laws.

We take steps to carry out these transfers in compliance with applicable laws. These steps in include putting appropriate data transfer agreements in place to help protect your Personal Data, participating in the U.S. Department of Commerce's Data Privacy Framework, implementing the European Commission's standard contractual clauses along with supplementary measures, implementing the Information Commissioner's Office international data transfer addendum to the European Commission's standard contractual clauses, and relying on the European Commission's and the Information Commissioner's Office's adequacy decisions about certain countries, as applicable, for data transfers from the EEA, UK, and Switzerland to the United States and other countries. We implement similar appropriate safeguards with our third-party service providers and affiliates. Furthermore, our privacy guidelines are communicated to our employees on an annual basis as part of our mandatory training. We have taken appropriate safeguards to ensure that any Personal Data collected and transferred under this Product Privacy Statement will remain protected.


Data Privacy Framework

Elastic complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Elastic has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Elastic has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. Elastic's commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data privacy framework website.

As set out above, Elastic uses a limited number of third-party service providers to assist us in providing our services to our users and customers, and in otherwise conducting our business. These third parties may access, process, or store Personal Data in the course of providing their services. Elastic maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Data Privacy Framework obligations, including the onward transfer provisions, and Elastic remains liable if they fail to meet those obligations and Elastic is responsible for the event giving rise to the damage.


California Privacy Rights

See our California Privacy Rights Statement for information about California Privacy Rights, and other required disclosures, if any.


Other Information

Data Retention. We retain information collected in connection with the Products for so long as necessary to fulfill the purposes outlined in this Statement, or where we have an ongoing legitimate business need to do so (for example, to provide a user with a service that was requested or to comply with applicable legal, tax or accounting requirements).

Changes to this Product Privacy Statement. This Product Privacy Statement is subject to occasional revision. If we make any substantial changes in the way we use Personal Data, we will take appropriate measures to inform our customers, consistent with the significance of the changes we make. We will provide notice of any material Product Privacy Statement changes if and where required by applicable data protection laws.

The date of the most recent update to this Product Privacy Statement can be found by checking the "effective" date displayed at the top of this Product Privacy Statement.


How to Contact Us

If you have any questions or concerns regarding this Statement, you may fill out this form or write us by postal mail at:

Elasticsearch B.V.
Attn: Privacy Team
Keizersgracht 281
1016 ED Amsterdam
The Netherlands

Data Protection Officer. Elastic has appointed an external Data Protection Officer for German data subjects. You can contact our Data Protection Officer here.

If we are unable to resolve your concerns, you have the right to contact your local data privacy supervisory authority or seek a remedy through the courts if you believe your requests to exercise your rights have not been honored.