Panopto Authorized User Privacy Policy

Last updated: January 11, 2024

Previous version (effective November 22, 2019):
https://www.panopto.com/privacy-policy-2019/

1. Introduction

This Panopto Authorized User Privacy Policy (this “Privacy Policy”) provides important information regarding how Panopto, Inc. and its subsidiaries and affiliates, including Panopto EMEA Limited, Panopto Asia Pte Ltd, Panopto Asia Pacific Limited, and Panopto ANZ Pty Ltd (collectively, “Panopto”, “we” or “us”), process, use, collect, disclose, and protect Personal Data (as defined below) when you use any Panopto products, software, platforms, applications, and services (the “Services”) through one of our Customers (as defined below). “Personal Data” is information about you that is personally identifiable or can be linked to you through a personal identifier, such as your e-mail address, phone number, location, or the physical address of your organization, and which is not otherwise publicly available (this definition is given here for the purpose of this Privacy Policy only, and some laws may use a different definition). This Privacy Policy does not apply to third-party services that are not under Panopto’s control; those parties’ services are governed by their own privacy policies. An organization or other third party, which is Panopto’s “Customer,” has entered into a written agreement with Panopto for the Services (the “Contract”) and has given you access to use the Services pursuant to the Contract. You, along with others in your organization, are each an “Authorized User.” The Contract contains Panopto’s commitment to deliver the Services to the Customer, which may then invite Authorized Users to access and use the Services. This Privacy Policy applies to you as an Authorized User of the Services. This Privacy Policy may change as our business evolves, so please check back regularly for updates and revisions.

2. Panopto is a Data Processor

The Services Panopto provides to its Customers primarily include a video hosting platform with tools for creating, managing and distributing video, audio, written and other content (“Content”) over the Internet. Customers are responsible, in their sole discretion, for provisioning accounts to Authorized Users to give them access to the Services, and for removing an account once a given Authorized User is no longer permitted to have such access. In each case, the Customer is the controller of the Personal Data of its Authorized Users, and Panopto is the processor carrying out data processing activities in accordance with the Customer’s instructions.

If you use the Services through a Panopto Customer, such as an employer or school, that Customer controls and administers your account, and may access, process, and share your Personal Data, including the Content you create through the Services, in accordance with its own policies and procedures. Panopto is not responsible for the privacy or security practices of its Customers, which may differ from those set forth in this Privacy Policy.

Panopto has no direct control over the Personal Data collected by its Customers. Customers choose the geographical region(s) for the storage of Personal Data, are directly responsible for the configuration and administration of the Services they use, and are responsible for adhering to legal and regulatory requirements, including the collection and maintenance of any necessary rights, permissions, and consents for the Personal Data they collect and manage as a controller.
In its capacity as a controller, each Customer is responsible for maintaining the privacy of the Personal Data pertaining to its Authorized Users uploaded to the Services. Panopto processes such Personal Data under the direction of the Customer, and has no direct relationship with the individuals whose Personal Data it processes. Panopto is not responsible for disclosures of information made by a Customer to its Authorized Users through the Services. If you are concerned about your privacy while interacting with the Services or wish to exercise your rights in connection with the Personal Data included in the Services, you should direct your inquiry or request to the applicable Customer.

3. When Personal Data is Collected

We collect your Personal Data when it is provided to us by the Customer through which you access the Services, as well as when you interact with the Services through a Customer’saccount, such as when you:

  • Upload Content into the Services
  • Appear within Content hosted on the Services
  • View, comment on, or otherwise interact with Content stored in the Services
  • Download, log into, or use a Panopto mobile or other application
  • Interact with a Panopto application programming interface (API)
  • Contact Panopto’s customer support team
  • Interact with Panopto on behalf of a Customer, such as when you are the Customer’s account administrator or technical contact

4. What Personal Data is Collected

When you use the Services, the following categories of Personal Data may be collected and processed by Panopto:

  • Personal Data provided by the Customer: If you are an Authorized User, the Customer may provide your name, email address, and relation to the Customer in order to create an account for you on the Services.
  • Personal Data uploaded to the Services: The Content that you, other Authorized Users, and/or the Customer upload to the Services may include your Personal Data, such as photographic, video, and audio recordings, physical characteristics or descriptions, and likenesses of, or references to, you.
  • Passwords and login credentials: When you log in to the Services, we collect your user ID and password in order for you to access the Services. However, when you log in through the Customer’s systems connected to the Services, such as single sign-on or third-party portals, we may receive user login credentials or an anonymous identifier or token (depending on the configuration of those systems).
  • Information automatically collected: As is true of most websites, when you interact with the Services, we automatically gather certain types of information needed to deliver your actions and instructions over the Internet. This information is stored in our log files and may include Internet protocol (IP) addresses, type of device, operating system, and browser, unique device identifier, browser settings, where an application was downloaded from, usage information, events that occur within an application, performance data, Internet service provider (ISP), referring/exit pages, files viewed (e.g., HTML pages, graphics, etc.), date/time stamp, and/or clickstream data. Similarly, if you contact our customer support team, we may automatically collect or request this information to aid in troubleshooting and error reporting.
  • Contact and billing information: If you are the Customer’s account administrator or technical contact, we will collect your name, email address, mailing and billing address, phone and fax numbers, and billing and account information, including payment details.

5. How Personal Data is Used

We use your Personal Data for the following purposes:

  • Provide the Services to the Customer and its Authorized Users, including performing the actions and instructions requested by you or the Customer
  • Diagnose and repair technical issues with the Services and provide other customer care and support services
  • Communicate Services and other relevant notifications to you
  • Protect the security and safety of the Services and our Customers, detect and prevent fraud, resolve disputes, and enforce our agreements
  • Include personalized features and recommendations within the Services that enhance your productivity and user experience enjoyment, and automatically tailor your experiences within the Services based on your activities, interests, and locations
  • Develop aggregate statistics and analytics information that enable us to operate, protect, make informed decisions about, and report on the performance of our business
  • Monitor the performance of the Services, track account usage, and test and improve the Services
  • Create audit logs to provide Customers with statistical analysis of the use of the Services and to enable us to monitor the Services, perform security audits, track errors, and report activity

6. Cookies and Similar Technologies

Panopto uses cookies and similar technologies in connection with the Services. A cookie is a file containing an identifier (a string of letters and numbers) sent by a web browser, and then stored by the browser. The identifier is sent back to the server each time the browser requests a page from the Services. Panopto uses cookies in a number of ways, such as to authenticate an Authorized User, help mitigate security threats, improve the performance of the Services, track an Authorized User’s interactions with the Services, store information regarding an Authorized User’s preferences, and collect analytics data. You have the ability to decline or accept non-essential cookies within the Services if the Customer through which you access the Services has selected the European Union as the geographic region for the storage of Personal Data or if the Customer has otherwise chosen to enable cookie settings for its Authorized Users. If you decline non-essential cookies, essential cookies (namely those needed for the Services to be functional) will still be set. In addition, you may be able to control the use of cookies and similar technologies at the individual browser level. However, choosing to disable any cookies may limit your use of certain features or functions on the Services. For more information about the cookies that Panopto uses, see the Learn About Panopto’s Use of Cookies page.

7. Sharing of Personal Data

Panopto will never sell your Personal Data or share it with any third party for marketing purposes. Your Personal Data may be shared or disclosed to a third party in the following limited circumstances:

  • Panopto and its subsidiaries and affiliates are in different countries around the world, and by accessing the Services, your Personal Data may be transferred outside of your local jurisdiction. See the International Data Transfers section of this Privacy Policy below for more information on such transfers.
  • We use trusted third-party service providers to help us operate and administer certain aspects of the Services. For example, we use service providers for web hosting, customer service support, and other business operations, and such service providers may need access to Personal Data to complete those functions. In such cases, these service providers must abide by our data privacy and security requirements and are not allowed to use Personal Data they receive from us for any other purpose.
  • At the Customer’s discretion and choice, the Services may be integrated with other third-party systems, applications, or hardware, such as unified communications platforms, learning management systems, or video equipment. In such cases, your Personal Data may be shared with the companies that provide these systems, applications, or hardware. We encourage you to review and understand the terms and conditions and privacy policies of such third parties, over which we have no control or responsibility as to their use of your Personal Data.
  • In the event Panopto is acquired or merges with another company, the Services (including the Personal Data included in them) may be transferred to another entity.
  • As we believe to be necessary or appropriate, we may disclose Personal Data (a) in accordance with applicable laws, (b) to comply with a subpoena or other legal process, (c) to respond to requests from public and government authorities, (d) to enforce our terms and conditions, (e) to protect our operations or those of any of our affiliates, (f) to protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others, and (g) to allow us to pursue available remedies or limit the damages that we may sustain.

8. Protection of Personal Data

Panopto maintains an information security program, under which it has adopted security measures to protect Personal Data against loss, theft, unauthorized access, alteration, disclosure, or destruction.  Among other things, these measures include policies, procedures, employee training, physical access control, and technical elements relating to data access controls. In addition, Panopto uses industry standard encryption to protect Personal Data when it is being exchanged or transmitted.  Panopto has also obtained various compliance certifications and undergoes audits to ensure continued security and compliance best practices.

However, data transmissions over the Internet cannot be guaranteed to be 100% secure or safe from intrusion by others. Be sure to use secure Internet connections, protect your login credentials, and create strong passwords for your Services account. For more information about the measures Panopto takes to protect Personal Data, see the Learn About Panopto’s Information Security Program page.

9. Data Retention

We may retain your Personal Data (even after you cease to use the Services) for any lawfully permitted period of time and as necessary to meet our legal and contractual obligations, enforce our agreements, and enable us to investigate events and resolve disputes.

10. Your Rights as a Data Subject

Depending on your location, Panopto may have certain legal obligations to its Customers relating to your Personal Data. For example, Panopto has obligations as a data processor or service provider under the European Union’s General Data Protection Regulation, the United Kingdom’s Data Protection, Privacy and Electronic Communication Regulations, Switzerland’s Federal Act on Data Protection, the California Consumer Privacy Act and the California Privacy Rights Act, and other applicable data protection laws or regulations (“Data Protection Laws”). In addition, you (as a data subject) may have certain rights under these Data Protection Laws,
such as:

  • The right to object to processing
  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to lodge a complaint
  • The right to withdraw consent

However, it is important to keep in mind that Panopto is a service provider to its Customers, and therefore acts as a processor, and not a controller, of your Personal Data.  If you wish to exercise any of your rights pursuant to applicable Data Protection Laws, you should contact the relevant Customer, which is the controller of your Personal Data and is therefore responsible for protecting your rights under these Data Protection Laws. If you contact Panopto directly, we may forward your request or inquiry to the relevant Panopto Customer.

11. International Data Transfers

As described above, Customers have control and responsibility for selecting the appropriate geographical region(s) in which they store and upload Personal Data and administering the Services in accordance with applicable Data Protection Laws.
Panopto is a multinational organization that is headquartered in the United States and has subsidiaries, systems, and business functions around the world. In its capacity as a processor to its Customers, Panopto may share Personal Data with its affiliates and service providers, which may involve transferring it to other countries or allowing personnel at Panopto or its affiliates or service providers to remotely access it from other countries. Where required, such international transfers may be made pursuant to data processing agreements with standard contractual clauses or an alternative mechanism allowed under applicable Data Protection Laws. These other countries may have Data Protection Laws that are different from those in your country. Regardless of location, Panopto handles Personal Data as described in this Privacy Policy, and takes steps to ensure that any recipient of your Personal Data adheres to these same practices.

Data Privacy Framework Notice
Panopto complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Panopto has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Panopto has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. To learn more, visit our Data Privacy Framework Notice here

12. Changes to this Privacy Policy

We may change, modify, or update this Privacy Policy at any time. When we do, we will revise the date at the top of this page and provide a link to the archived previous version. We encourage you to check this page frequently for any changes to this Privacy Policy.

13. Contacting Panopto

If you have any questions or concerns about your privacy in connection with your use of the Services through a Customer, you should direct them to that specific Customer. As noted above, if you contact us with any such questions or concerns, we may forward them to the relevant Customer.
If you have any questions about this Privacy Policy, please contact us at [email protected] or via mail (worldwide) at:

Panopto, Inc.
Attn: Data Protection Officer
600 River Avenue
Suite 100
Pittsburgh, PA 15212