Last modified: November 12, 2020
This Privacy Notice describes how we collect and process your personal information in relation to Google Workspace and Google Cloud Platform (together, “Cloud Services”).
We offer Cloud Services either directly or via our authorized partners. Where we refer to our customers in this notice, we also mean our partners and their customers.
Information We Collect
Google processes Customer Data, Partner Data and Service Data in order to provide Cloud Services. This Privacy Notice applies solely to Service Data and does not apply to Customer Data or Partner Data.
Customer Data and Partner Data are defined in our agreement(s) covering Cloud Services and represent the data that you and our customers provide for processing in Cloud Services. For more information about how we process Customer Data and Partner Data, see our Google Workspace Data Processing Amendment, Google Cloud Platform Data Processing and Security Terms (Customers) and Google Cloud Platform Data Processing and Security Terms (Partners).
Service Data is the personal information Google collects or generates during the provision and administration of the Cloud Services, excluding any Customer Data and Partner Data. Service Data includes:
- Cloud payments and transactions. We keep reasonable business records of charges, payments, and billing details and issues.
- Cloud settings and configurations. We record your configuration and settings, including resource identifiers and attributes. This includes service and security settings for data and other resources.
- Technical and operational details of your usage of Cloud Services. We collect information about usage, operational status, software errors and crash reports, authentication credentials, quality and performance metrics, and other technical details necessary for us to operate and maintain Cloud Services and related software. This information may include device identifiers, identifiers from cookies or tokens, and IP addresses.
- Your direct communications. We keep records of your communications and interactions with us and our partners, for example, when you provide feedback or contact information, ask questions or seek technical support.
Why We Process Data
Google processes Service Data for the following purposes:
- Provide Cloud Services you request. Service Data is primarily used to deliver the Cloud Services that you and our customers request. This includes a number of processing activities that are necessary to provide the Cloud Services, including processing to bill for services usage, to ensure services are working as intended, to detect and avoid outages or other problems you might experience, and to secure your data and the services you use.
- Make recommendations to optimize use of Cloud Services. We may process Service Data to provide you and our customers with recommendations and tips. These suggestions may include ways to better secure your account or data, options to reduce service charges or improve performance, and information about new or related products and features. We may also evaluate your response to our recommendations.
- Maintain and improve Cloud Services. We evaluate Service Data to help us improve the performance and functionality of Cloud Services. As we optimize Cloud Services for you, this may improve them for our customers and vice versa.
- Provide and improve other services you request. We may use Service Data to deliver and improve other services that you and our customers request, including Google or third-party services that are enabled via the Cloud Services, administrative consoles, APIs, or the Google Cloud Platform Marketplace or Google Workspace Marketplace.
- Assist you. We use Service Data when needed to provide technical support and professional services as requested by you and our customers, and to assess whether we have met your needs. We also use Service Data to improve our online support, and to communicate with you and our customers. This includes notifications about updates to Cloud Services, and responding to support requests.
- Protect you, our users, the public, and Google. We use Service Data to improve the safety and reliability of our services. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm our users, our customers, the public, or Google. These activities are an important part of our commitment to secure our services.
- Comply with legal obligations. We may need to process Service Data to comply with our legal obligations, for example, where we’re responding to legal process or an enforceable governmental request, or to meet our financial record-keeping obligations.
- Other purposes with your consent. We may ask for your consent to process information for other purposes not covered in this Privacy Notice. You have the right to withdraw your consent at any time.
To achieve these purposes, we may use Service Data together with information we collect from other Google products and services. We may use algorithms to recognize patterns in Service Data. Manual collection and review of Service Data may also occur, such as when you interact directly with our billing or support teams. We may aggregate and anonymize Service Data to eliminate personal details, and we may use Service Data for internal reporting and analysis of applicable product and business operations.
Where Data Is Stored
We maintain data centers around the world, and provide Google Workspace from these locations and Google Cloud Platform from these locations. Service Data may be processed on servers located outside of the country where our users and customers are located because Service Data is typically processed by centralized or regionalized operations like billing, support, and security.
Regardless of where Service Data is processed, we apply the same protections described in this Privacy Notice. When transferring Service Data outside of the European Economic Area, we comply with certain legal frameworks.
How We Secure Data
We build Cloud Services with strong security features to protect information. The insights we gain from providing our services help us detect and automatically block security threats from ever reaching you.
We work hard to protect you and Google from unauthorized access, alteration, disclosure, or destruction of information we hold, including:
- We encrypt Service Data at rest and while in transit between our facilities.
- We regularly review our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems.
- We restrict access to personal information to Google employees, contractors, and agents who need that information in order to process it for us. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations.
How We Share Data
We do not share Service Data with companies, organizations, or individuals outside of Google except in the following cases:
- With your consent
- With your administrators and authorized resellers
- View account and billing information, activity and statistics
- Change your account password
- Suspend or terminate your account access
- Access your account information in order to satisfy applicable law, regulation, legal process, or enforceable governmental request
- Restrict your ability to delete or edit your information or your privacy settings
- For external processing
- For legal reasons
- Comply with applicable law, regulation, legal process, or enforceable governmental request. We share information about the number and type of requests we receive from governments in our Transparency Report.
- Enforce applicable agreements, including investigation of potential violations.
- Detect, prevent, or otherwise address fraud, security, or technical issues.
- Protect against harm to the rights, property or safety of Google, our customers, users, and the public as required or permitted by law.
We’ll share Service Data outside of Google when we have your consent. For example, when you or our customer chooses to procure a third-party service through the Google Cloud Platform Marketplace or Google Workspace Marketplace, or use a third-party application that requests access to your information, we’ll seek permission to share information with that third party.
When you use Cloud Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain Service Data. For example, they may be able to:
We provide information to our affiliates, partners and other trusted businesses or persons to process it for us, based on our instructions and in compliance with this Privacy Notice and other appropriate confidentiality and security measures.
We may share Service Data outside of Google if we have a good-faith belief that access to, or use, preservation, or disclosure of the information is reasonably necessary to:
If Google is involved in a reorganization, merger, acquisition, or sale of assets, we’ll continue to ensure the confidentiality of your personal information and give affected users notice before personal information becomes subject to a different privacy policy.
Access to Data
Your organization may allow you to access and export your data in order to back it up or transfer it to a service outside of Google. Some Google Cloud Services enable you to directly access and download the data you have stored in the services. For example, as further described in our Google Workspace Data Subject Requests Guide, you or your organization may use various tools to access, control, and export data.
You and your organization’s administrator can access several categories of Service Data directly from Google Cloud, including your billing contact information, payment and transaction information, as well as product and communication settings and configurations.
If you’re otherwise unable to access your data, you can always request it here.
Deletion and Retention of Data
We retain Service Data for different periods of time depending on what it is, how we use it, and how you configure your settings.
Service Data is deleted or anonymized once it is no longer needed. For each type of data and operation, we set retention timeframes based on the purpose for its collection, and ensure it is kept for no longer than necessary.
Sometimes we need to retain certain information for an extended period of time for legitimate business or legal purposes. For example, when Google processes a payment for you, or when you make a payment to Google, we’ll retain data about those transactions as required for tax or accounting purposes. Other legitimate business or legal purposes that may require us to retain data include security, fraud and abuse prevention, ensuring continuity of our services, and complying with legal or regulatory requirements.
When we delete data, we follow detailed steps to make sure that the data is securely and completely removed from our active systems or retained only in anonymized form. We take measures to ensure that our services protect information from accidental or malicious deletion through the use of backup systems.
Using Google Accounts and Products
Your Google Account is your connection to all Google products and services, not just Cloud Services. When you choose to use Google products and services outside of Cloud Services, the Google Privacy Policy describes how data (including your Google Account profile information) is collected and used. You and your administrator can control which other Google services you may use while logged into a Google Account managed by your organization.
If you interact with Cloud Services using a Google Account managed by an organization, then your personal information may be subject to your organization’s privacy policies and processes, and you should direct privacy inquiries to your organization.
EU Privacy Standards and GDPR
If European Union (EU), UK or Swiss data protection law applies to the processing of information about you, you have certain rights, including the rights to access, correct, delete and export your information, as well as to object to or request that we restrict processing of your information.
For users based in the European Economic Area, UK or Switzerland, the data controller responsible for Service Data is Google Ireland Limited. However, where our customer has entered into an agreement covering Cloud Services with a different Google affiliate, that affiliate will be the data controller responsible for processing Service Data in connection with billing for the Cloud Services only.
If you want to exercise your data protection rights with regard to information we process in accordance with this Privacy Notice and are not able to do so via the tools available to you or your organization’s administrator, you can always contact Google via our Privacy Help Center. And you can contact your local data protection authority if you have concerns regarding your rights under local law.
In addition to the purposes and grounds described in this Privacy Notice, we may process information on the following legal grounds:
-
Where necessary for the performance of a contract with you
We may process your information where necessary for us to enter into a contract with you or to comply with our contractual commitments to you.
-
When we’re complying with legal obligations
We’ll process your information when we have a legal obligation to do so.
-
When we’re pursuing legitimate interests
We may process Service Data based on our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information in the interests of providing Cloud Services you request; making recommendations to optimize use of Cloud Services; maintaining and improving Cloud Services; providing and improving other services you request; assisting you; and protecting against harm to the rights, property or safety of Google, our users, our customers, and the public, as required or permitted by law.
Brazil Requirements
If Brazilian data protection law applies to the processing of information about you, you have certain rights, including the rights to access, correct, delete or export your information, as well as to object to or request that we restrict processing of your information. You also have the right to object to the processing of your information or to export your information to another service.
For users based in Brazil, the data controller responsible for Service Data we collect for Google Workspace is Google LLC, and the data controller responsible for Service Data we collect for Google Cloud Platform is Cloud Brasil Computação e Serviços de Dados Ltda. If you want to exercise your data protection rights with regard to information we process in accordance with this Privacy Notice and are not able to do so via the tools available to you or your organization’s administrator, you can always contact Google via our Privacy Help Center. And you can contact your data protection authority if you have concerns regarding your rights under Brazilian law.
In addition to the purposes and grounds described in this Privacy Notice, we may process information on the following legal grounds:
-
Where necessary for the performance of a contract with you
We may process your information where necessary for us to enter into a contract with you or to comply with our contractual commitments to you.
-
When we’re complying with legal obligations
We’ll process your information when we have a legal obligation to do so.
- When we’re pursuing legitimate interests
We may process Service Data based on our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information in the interests of providing Cloud Services you request; making recommendations to optimize use of Cloud Services; maintaining and improving Cloud Services; providing and improving other services you request; assisting you; and protecting against harm to the rights, property or safety of Google, our users, our customers, and the public, as required or permitted by law.
California Requirements
The California Consumer Privacy Act (CCPA) requires specific disclosures for California residents.
This Privacy Notice is designed to help you understand how Google handles your information:
-
We explain the categories of information Google collects and the sources of that information in Information We Collect.
-
We explain how Google uses information in Why We Process Data.
-
We explain when Google may share information in How We Share Data. Google does not sell your personal information.
The CCPA also provides the right to request information about how Google collects, uses, and discloses your personal information. And it gives you the right to access your information and request that Google delete that information. Finally, the CCPA provides the right to not be discriminated against for exercising your privacy rights.
We provide the information and tools described in this Notice so you can exercise these rights. When you use them, we’ll validate your request by verifying your identity (for example, by confirming that you’re signed in to your Google Account). If you have questions or requests related to your rights under the CCPA, you (or your authorized agent) can also contact Google.
The CCPA requires a description of data practices using specific categories. This table uses these categories to organize the information in this Privacy Notice.
Categories of personal information we collect | Business purposes for which information may be used or disclosed | Parties with whom information may be shared |
---|---|---|
Service Data is the personal information Google collects or generates during the provision and administration of the Cloud Services, excluding any Customer Data and Partner Data. Service Data includes: Identifiers such as your name, phone number, and address, as well as unique identifiers tied to the browser, application, or device you’re using. Demographic information, such as your preferred language. Commercial information such as records of charges, payments, and billing details and issues. Internet, network, and other activity information such as device identifiers, identifiers from cookies or tokens, IP addresses, and information about usage, operational status, software errors and crash reports, authentication credentials, quality and performance metrics, and other technical details necessary for us to operate and maintain Cloud Services and related software. Geolocation data, such as the country you’re in, as may be determined by GPS or IP address, depending in part on your device and account settings. Audio, electronic, visual and similar information, such as audio recordings of your calls with our technical support providers. Inferences drawn from the above, like aggregated performance metrics for a new product feature to determine product strategy. |
Google processes Service Data for the following purposes: Protecting against security threats, abuse, and illegal activity. Google uses and may disclose Service Data to detect, prevent and respond to security incidents, and for protecting against other malicious, deceptive, fraudulent, or illegal activity. For example, to protect our services, Google may receive or disclose information about IP addresses that malicious actors have compromised. Auditing and measurement. Google uses Service Data for analytics and measurement to understand how our services are used, and to provide you and our customers with recommendations and tips. Maintaining our services. Google uses Service Data to provide Cloud Services, technical support, and other services you request, and ensure they are working as intended, for example by tracking outages or troubleshooting bugs and other issues that you report to us. Product development. Google uses Service Data to improve Cloud Services and other services you request, and to develop new features and technologies that benefit our users and customers. Use of service providers. Google shares Service Data with service providers to perform services on our behalf, in compliance with this Privacy Notice and other appropriate confidentiality and security measures. For example, we may rely on service providers to help provide technical support. Legal reasons. Google also uses Service Data to satisfy applicable laws or regulations, and discloses information in response to legal process or enforceable government requests, including to law enforcement. We provide information about the number and type of requests we receive from governments in our Transparency Report. |
We do not share Service Data with companies, organizations, or individuals outside of Google except in the following cases: With your consent. We’ll share Service Data outside of Google when we have your consent. For example, when you or our customer chooses to procure a third-party service through the Google Cloud Platform Marketplace or Google Workspace Marketplace, or use a third-party application that requests access to your information, we’ll seek permission to share information with that third party. With your administrators and authorized resellers. When you use Cloud Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain Service Data. For example, they may be able to:
For external processing. We provide information to our affiliates, partners and other trusted businesses or persons to process it for us, based on our instructions and in compliance with this Privacy Notice and other appropriate confidentiality and security measures. For legal reasons. We may share Service Data outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:
|
Korea Requirements
If Korean data protection law applies to the processing of your Service Data, we provide the following additional information for users of Cloud Services residing in Korea.
Items of personal information collected. When you use our Cloud Services, the following Service Data is collected: (i) business records of charges, payments, and billing issues, (ii) configuration and settings, including resource identifiers and attributes. (iii) usage, operational status, quality and performance metrics, and other technical details, device identifiers, identifiers from cookies or tokens, and IP addresses, (iv) your feedback, contact information and your other communications with us, each as further described here.
The above personal information may be transmitted to our data centers located abroad through our network for the purposes listed below and stored for the retention period below.
We may use cookies (small text files placed on the user's device) and similar technologies for a variety of purposes, including user preferences or settings, authentication information, and interest-based advertising or analysis. Most web browsers accept cookies automatically, but provide controls that allow you to block or delete cookies.
Purpose of collection and use of personal information. Google collects and uses Service Data (i) to provide Cloud Services you request, (ii) to make recommendations to optimize use of Cloud Services, (iii) to maintain and improve Cloud Services, (iv) to provide and improve other services you request (v) to assist you, (vi) to protect you, our users, the public and Google, (vii) to comply with legal obligations, and (viii) for other purposes with your consent, each as further described here.
Retention period of personal information. Service Data is deleted or anonymized once it is no longer needed for the purposes described above. For each type of data and operation, we set retention timeframes based on the purpose for its collection, and ensure it is kept for no longer than necessary.
Deletion of personal information. If the retention period expires or you request deletion, Google will faithfully endeavor to delete such personal information unless there is a legal obligation that requires processing or another lawful basis for retaining the information. When we receive a request to delete personal information, the retention period of the archive copy expires, and then Google's archiving system has a mechanism to overwrite the expired data. In some cases, it may be necessary to store some data for a variety of other reasons, such as complying with legal obligations.
Consignment of personal information processing. We provide information to affiliates (listed here for Google Cloud Platform and here for Google Workspace) and other trusted businesses or persons to process it for us, based on our instructions and in compliance with this Privacy Notice and other appropriate confidentiality and security measures.
Google has contracts with the third-party service providers listed below to provide Cloud Services to Korean residents. The contracts impose obligations on those companies to prohibit the processing of personal information other than for the purposes we specify, to return or destroy personal information after the end of processing, and to implement processes to ensure those companies comply with these obligations.
Third-party vendor | Role | Note |
---|---|---|
EPAM Systems Japan G.K | Customer Support for Cloud | In order for Google to provide Cloud Services to Korean residents, these companies can process Service Data remotely from abroad during the retention period described above. |
Telus International US Corp, EPAM Systems Japan G.K | Cloud Billing Support | |
Sellbytel Services Malaysia Sdn. Bhd | Customer Support for Google Workspace | |
Toss Payments Co., Ltd. (Korean Company) | Payment and notification services | |
D-Agent (Korean company) | Local representative for user's privacy inquiries |
Legal minors. Our basic policy is not to collect personal information of Korean residents under the age of 14. If you are Korean residents under the age of 14, you may use Cloud Services only with the consent of a parent or legal representative.
Contact Information. If you have any questions about Google's privacy policy or privacy practices, please contact our Google privacy team (Email: [email protected]). For local representatives under the Act on Promotion of Information and Communication Network Utilization and Information Protection, please see below:
- Name and Representative: D-Agent Co., Ltd. (CEO Jong-Won Park)
- Address and Contact Information: 11th floor, Platinum Building, Gwanghwamun 28, Saemunan-ro 5-ga-gil, Jongno-gu, Seoul, 02-737-0346, [email protected]
Updates to this Notice
We may update this Privacy Notice from time to time. We will not make any significant changes without notifying you in advance by posting a prominent notice on this page describing the changes or by sending you a direct communication. We encourage you to regularly review this Privacy Notice, and we will always indicate the date the last changes were published.