Privacy Notice

AvePoint, Inc., including its wholly owned (directly and indirectly) subsidiaries (hereinafter “AvePoint”) is committed to protecting the privacy and security of the personal information of our customers, employees and third parties.

We respect each individual's right to personal privacy. We will collect and use information we receive directly from you only in the ways disclosed in this Privacy Notice. This Privacy Notice does not apply to practices that AvePoint does not own or control, or to individuals that AvePoint does not employ or manage.

1. Information We Collect

AvePoint collects many kinds of information in order to operate effectively and provide you the best products, services, and experiences we can. Some of this information you provide directly to us. Some of it we get by observing how you interact with our products and services. Some of it is available from other sources that we may combine with the data we collect directly. Regardless of the source, we believe it is important to treat that information with care and to help you maintain your privacy.

1.1 What we collect

Registration

When you sign up to use our sites or services you may be required to provide information about yourself, such as your name, birthdate, organization name, e-mail and postal address and postal code.

Signing In

To access some AvePoint services, you will need to sign in with a username and password, which we refer to as your user account.

Using Our Sites And Services

We collect information that tells us how you interact with our services, including the browser you're using, your IP address, location, cookies or other unique IDs, the pages you visit and features you use.

Product and Services Queries

If you request information about AvePoint products and services, we will collect your name, e- mail address, phone number, and additional company information.

Data From Other Sources

We may get additional information about you, such as demographic data we purchase from other companies.

1.2 How We Collect Information:

We use a number of methods and technologies to gather information about how you use our sites and services, such as:

• Web forms, such as when you type information into a registration form or type a search query into a search box.
• Technologies like cookies and web beacons (Please visit Section 2 of this Privacy Notice to learn more about these technologies).
• Web logging, which enables us to collect the standard information your browser sends to every website you visit - such as your IP address, browser type and language, and the site you came from - as well as the pages you visit and the links you click while using our sites and services.
• Software installed on your computer or other device, which may send back information needed to operate, update or improve that software.
• E-mails
• Hard copy surveys

Customer Data:

AvePoint receives and processes information (in paper and electronic form) in accordance with its clients’ instructions for the purpose of providing services to its customers. At AvePoint, we recognize the importance of privacy to our customers, and we strive to safeguard any personal information we receive and may need to use in support of our customers.

AvePoint Customer Information

Customer Information is information we collect from you when you purchase and contract with us to provide services or technology solutions. We will ask you to provide the following information:

• E-mail address;
• Phone number;
• Information regarding your role within your company;
• Company information, including company name, address, billing information (e.g., P.O. number, bank wire information, credit card number), and company size; and
• Contact information for other relevant points of contact within your company as needed for AvePoint to provide its services.

If you purchased one of AvePoint’s technical solutions, you may have the option to add additional users to your account. We will ask for the name and e-mail address of the additional users you want to add. This information is used by AvePoint to provide the requested service.

In the course of using AvePoint’s technical solutions or services, you may provide business information related to your company. Business information may include copies of your company’s policies and process documents, responses to assessment questionnaires and evidence to support those responses. This information is stored on AvePoint’s systems and is used to provide contracted services in accordance with the applicable terms and conditions of agreements between AvePoint and your company.

1.3 How We Use APIs:

AvePoint products use and transfer data only using recommended methodologies and Application Programming Interfaces (“APIs”) approved by Microsoft, Google, Salesforce, or other platform technology providers. Our applications' use of APIs adheres to the respective user data policies of such platform technology providers, as applicable. For example, our use of Google APIs adheres to the Google API Services User Data Policy (including Google’s “Limited Use” requirements thereunder).

1.4 Third Party Websites

Please note that our sites may include links to third-party sites whose privacy practices may differ from those of AvePoint. If you submit personal information to any of those sites, your information is governed by the privacy statements on those sites. We encourage you to review the privacy statement of any site you visit.

2. Cookies, AI, & Similar Technologies

2.1 Our Use of Cookies

Most AvePoint websites use “cookies”, which are small pieces of data sent to your browser by a web server. Upon subsequent requests, your browser will send the cookie data to the same web server, or other web servers in the same domain, when accessing the website. Cookies contain data that can be read by a web server in the domain that issued the cookie to you. That data often consists of a string of numbers and letters that uniquely identifies your computer but may contain other information as well. Here is an example of a unique ID number stored in a cookie that AvePoint might place on your device when you visit one of our websites: 0aj17be34l7srju0qcdnftigt0

We May Use Cookies For:

Sign-in and Authentication

When you sign into a site or service using your account on an AvePoint website, we store a unique ID number, and the time you signed in, in an encrypted cookie on your hard disk. This cookie allows you to move from page to page at the site without having to sign in again on each page. When you sign out, these cookies are deleted from your computer. This is commonly referred to as a “session cookie”. We also use cookies to improve the sign-in experience. For example, your username may be stored in a cookie that will remain on your computer after you sign out. This cookie allows your username to be pre-populated, so that you will only need to type your password the next time you sign in. If you are using a public computer or do not want this information to be stored, you can select the appropriate radio button on the sign-in page, and this cookie will not be used.

Site Analytics

We may use cookies to count the number of unique visitors to a web page or service or to develop other aggregate statistics about the operations of our sites and services. These analytics help us operate and improve the performance of these sites and services.

In addition to the cookies AvePoint may set when you visit our websites, third parties may also set certain cookies on your device when you visit AvePoint sites. In some cases, that is because we have hired the third party to provide certain services on our behalf, such as site analytics. In other cases, it is because our web pages contain content or ads from third parties, such as videos, news content or ads delivered by other ad networks. Because your browser connects to those third parties’ web servers to retrieve that content, those third parties are able to set or read their own cookies on your device and may collect information about your online activities across websites or online services.

2.2 How to Control Cookies

Browser Controls to Block Cookies

Most web browsers automatically accept cookies, but you can usually modify your browser setting to block cookies. Instructions for blocking cookies in different browsers are usually available at each browser’s privacy statement or in their help files or settings pages.

Please be aware that if you choose to block cookies, you may not be able to sign in or use other interactive features of AvePoint sites and services that depend on cookies.

Browser Controls to Delete Cookies

If you accept cookies, you can delete them later. Instructions for deleting cookies in different browsers are usually available at each browser’s privacy statement or in their help files or settings pages.

Please be aware that if you choose to delete cookies, any settings and preferences controlled by those cookies will be deleted and may need to be recreated.

Browser Controls for “Do Not Track” and Tracking Protection

Some newer browsers have incorporated “Do Not Track” features. Most of these features, when turned on, send a signal or preference to the websites you visit indicating that you do not wish to be tracked. Those sites (or the third-party content on those sites) may continue to engage in activities you might view as tracking even though you have expressed this preference, depending on the sites’ privacy practices. Because there is not yet a common understanding of how to interpret the Do Not Track signal, AvePoint does not currently respond to the browser Do Not Track signals on its own websites or online services, or on third-party websites or online services where AvePoint provides content or is otherwise able to collect information.

2.3 Our Use of Web Beacons

AvePoint web pages may contain electronic images known as web beacons - sometimes called single pixel gifs - that may be used to help deliver cookies on our sites, let us count users who have visited those pages and deliver co-branded services. We may include web beacons in our promotional e-mail messages or newsletters to determine whether messages have been opened and acted upon.

Finally, AvePoint sites may contain web beacons from third parties to help us compile aggregated statistics regarding the effectiveness of our promotional campaigns or other website operations. These web beacons may allow the third parties to set or read a cookie on your computer. These companies may collect information about your online activities across websites or online servers, however, we prohibit third parties from using web beacons on our sites to collect or access your personal information. You may be able to opt out from data collection or use by these third-party analytics companies by opting out on their respective websites.

2.4 Other Similar Technologies

In addition to standard cookies and web beacons, websites can use other technologies to store and read data files on your computer. This may be done to maintain your preferences or to improve speed and performance by storing certain files locally. But, like standard cookies, it can also be used to store a unique identifier for your computer, which can then be used to track behavior.

2.5 Ava

AvePoint utilizes a customer and partner-facing chatbot called Ava, within our AOS and Elements web pages. Ava utilizes AI to generate content and engage with users. Please know that, as with any generative AI product, Ava can make mistakes and it is each user’s responsibility to ensure the accuracy of all content generated by Ava. Please refer to the Ava Terms of Use, which govern your use of Ava, available at https://www.avepoint.com/agreements/ava-terms-of-use.

3. How We Use Your Personal Information

We will use your Customer Information to:

• Provide the services and access to the technology solutions you have purchased
• Renew subscription-based services
• Communicate with you as necessary for your use of our products or services, for example, informing you when a subscription is ending, letting you know when updates are available or letting you know when you need to take action to keep your account active.
• Provide customer support. While providing you with customer support we may also gather additional information from you to investigate technical issues, and respond to your support questions;
• Contact you about a request of you for products or services, and to follow up with you about the products and services in which you have expressed an interest;
• Analyze the characteristics of our customers and improve our services. Occasionally, we will provide anonymized aggregated statistics about our customers in reports made available to our customers, to third parties, or to the public. These reports will not identify individual AvePoint customers.
• Operate, improve, and personalize the products and services we offer. Information collected through one AvePoint service may be combined with information collected through other AvePoint services to give you a more consistent and personalized experience in your interactions with us. We may also supplement this with information from other companies. For example, we may use services from other companies to help us derive a general geographic area based on your IP address in order to customize certain services to your geographic area.
• Communicate regularly with you about your use of the software and service, AvePoint events and other industry or privacy-related news, and other AvePoint services we believe may be of interest to you – if the applicable laws allow it or if we have your express permission to do so.

4. Sharing or Disclosing Your Personal Information

AvePoint transfers information to our corporate affiliates, service providers, and other partners who process it for us, based on our instructions, and in compliance with this Privacy Notice and any other appropriate confidentiality and security measures. Except as described in this Privacy Notice we will not disclose your personal information to a third party without your consent.

Contexts and situations where we may share or disclose your personal data without your explicit consent are:

• Within AvePoint affiliates and subsidiaries
• As part of a corporate transaction such as a merger or sale of a business
• With partners, vendors and agents of AvePoint Specifically, we may share it with companies we have hired to provide services globally on our behalf. Examples of these services include customer support, information technology, payments,.
• When required by law or to respond to legal process or lawful requests, including from law enforcement or other government agencies or other public authorities, including to meet national security or law enforcement requirements;
• To protect the rights or property of AvePoint or our customers, including enforcing the terms governing your use of the services.
• When required to combat fraud or protect our reasonable interests; and
• To act on a good faith belief that access or disclosure is necessary to protect the personal life and safety of AvePoint employees, customers or the public.

With your consent or if the applicable laws allow it, we may also share your personal information with partners, vendors and agents of AvePoint for providing marketing assistance, sales, data analysis, research and surveys.

When we share information with these other companies to provide services for us, they are not allowed to use it for any other purpose and must keep it confidential.

5. Accessing And Updating Your Personal Information

Some AvePoint services or AvePoint websites may give you the ability to access, correct or delete your personal information online. To help prevent your personal information from being viewed by others, you first might be required to sign in. The method(s) for accessing your personal information will depend on which sites or services you have used.

You can also contact AvePoint by using a provided contact form on the website, via e-mail to privacy@avepoint.com or by using any of the communication methods set out in Section 13 below.

AvePoint will make commercially reasonable efforts to provide you reasonable access to any of your personal information we maintain within 30 days of your access request. We provide this access so you can review, make corrections, or request deletion of your data. If we cannot honor your request within the 30-day period, we will tell you when we will be able to provide access. In the unlikely event that we cannot provide you access to this information; we will explain why we cannot do so.

Please note that we may still use any aggregated and de-identified Personal Information that does not identify any individual and may also retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

6. Children

When an AvePoint site or service collects age information, it will either block users under 16 or will ask them to provide consent from a parent or guardian before they can use it. We will not knowingly ask children under 16 to provide more information than is necessary to provide the service.

When consent is granted, the child's account is treated much like any other account. The child may have access to communication services like e-mail, instant messaging and online message boards and may be able to communicate freely with other users of all ages.

Parents/guardians can change or revoke the consent choices previously made, and review, edit or request the deletion of their children's personal information by using the contact form on the website.

7. Communication Preferences

If you receive promotional e-mails from us and would like to stop getting them in the future, you can do so by clicking the unsubscribe link provided in the e-mail.

Depending on the respective service, you may also have the option of proactively making choices about the receipt of promotional e-mail, telephone calls, and postal mail from particular AvePoint sites or services by visiting and signing into the corresponding services website.

These choices do not apply to the receipt of mandatory service communications that are considered part of certain AvePoint services and to privacy-related updates such as notification of new or changes to existing privacy regulations, which you may receive periodically unless you cancel the service.

8. International Users and Data Transfer

Personal information you submit to us may be transferred to the United States and other countries to be processed by us or third parties in order to provide this website, our technology solutions and services to you or for such other purposes as set forth in this Privacy Notice.

AvePoint will comply with all applicable laws with regard to these transfers. Additionally, the following terms apply with regard to personal data of individuals from the respective regions:

8.1 European Economic Area, United Kingdom and Switzerland

Standard Contractual Clauses

For transfers of personal data between our entities in the European Union and other AvePoint entities, AvePoint has entered into the EU Standard Contractual Clauses (“SCCs”) with all of its affiliated companies in order to ensure an adequate level of protection of such personal data. AvePoint has also implemented the United Kingdom’s International Data Transfer Addendum to the EU Standard Contractual Clauses.

Data Privacy Framework

In addition to the protection under the SCCs, AvePoint (including its controlled U.S. subsidiaries) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. AvePoint (including its controlled U.S. subsidiaries) has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. AvePoint (including its controlled U.S. subsidiaries) has furthermore certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

The privacy principles in this Privacy Notice are based on the SCCs and these Data Privacy Framework Principles (“DPF Principles”) and are further articulated in the AvePoint Data Privacy Framework Notice (“Data Privacy Framework Notice”) available at https://www.avepoint.com/company/data-privacy-framework-notice that sets out the privacy principles to which AvePoint adheres. If there is any conflict between the terms in this Privacy Notice (including AvePoint’s obligations stemming from its compliance with the SCCs) and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov.

This published Privacy Notice and the Data Privacy Framework Notice are accurate, comprehensive, prominently displayed, completely implemented, accessible and conform to the SCCs and the DPF Principles. In addition, we provide appropriate employee training (and discipline) and have internal procedures for periodically conducting objective reviews of our compliance with the SCCs and the DPF Principles.

Ways To Resolve Disputes

If you are a resident of the EEA and have an unresolved privacy or personal information collection, use, or disclosure concern that we have not addressed satisfactorily, please contact the EU Data Protection Authorities. If you are a resident of Switzerland and have this concern, please contact the Swiss Federal Data Protection and Information Commissioner.

For more information on how to contact the EU Data Protection Authorities, click here (https://edpb.europa.eu/about-edpb/about-edpb/members_en).

For more information on how to contact the Swiss Federal Data Protection and Information Commissioner, click here (https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html).

8.2 United States of America

California, Colorado, Connecticut, Utah & Virginia

The California Consumer Privacy Act of 2018 (“CCPA”) became effective on January 1, 2020 and created a variety of privacy rights for California consumers. In November 2020, California amended the CCPA, effective January 1, 2023. Additional states have passed laws extending similar privacy rights to their consumers, including Virginia (effective January 1, 2023), Colorado (effective July 1, 2023), Connecticut (July 1, 2023), and Utah (December 31, 2023). AvePoint uses this Privacy Notice to make disclosures to you as required by these state laws.

Please note that the rules implementing some of these laws have not yet been finalized. We are continuously working to better comply with these laws, and we will update our processes, disclosures, and this notice as these implementing rules are finalized.

Residents of these states are entitled to ask us for a notice identifying the categories of Personal Information which we share with our affiliates and/or third parties for marketing purposes, and for us to provide contact information for such affiliates and/or third parties.

9. Support Data

Support Data is the information we collect when you submit a support request or run an automated troubleshooter, including information about hardware, software, and other details related to the support incident, such as: contact or authentication information, chat session personalization, information about the condition of the machine and the application from when the fault occurred and during diagnostics, system and registry data about software installations and hardware configurations, and error- tracking files. We use Support Data as described in this Privacy Notice, and additionally use it to resolve your support incident and for training purposes.

Support may be provided through phone, e-mail, or online chat. We may use remote access (“RA”), with your permission, to temporarily navigate your desktop. Phone conversations, online chat sessions, or RA sessions with support professionals may be recorded and/or monitored. For RA, you may also access the recording after your session For online chat or RA, you may end a session at any time of your choosing.

Following a support incident, we may send you a survey about your experience and offerings. You must opt-out of support surveys separately from other communications provided by AvePoint, by contacting support or through the e-mail footer.

To review and edit your personal information collected through our support services, please contact us by using our web form.

Some business customers may purchase enhanced support offerings. These offerings are covered by their own contract terms and notices.

10. Payment Data

Payment Data is the information that you provide when you make purchases. This may include your payment instrument number (e.g., credit card, PayPal), your name and billing address, and the security code associated with your payment instrument (e.g., the CSV or CVV). This section provides additional information regarding the collection and use of your payment information.

Payment Data is used to complete your transaction, as well as for the detection and prevention of fraud. In support of these uses, AvePoint may share your Payment Data with banks and other entities that process payment transactions or other financial services, and for fraud prevention and credit risk reduction.

When you provide Payment Data to us, we may store that data to help you complete future transactions.

You may remove the payment instrument information associated with your organizational account by contacting us. After you close your account or remove a payment instrument, however, AvePoint may retain your payment instrument data for as long as reasonably necessary to complete your existing transaction, to comply with AvePoint’s legal and reporting requirements, and for the detection and prevention of fraud.

11. Protecting the Security of Personal Information

AvePoint is committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use or disclosure. For example, we store the personal information you provide on computer systems that have limited access and are in controlled facilities. When we transmit highly confidential information (such as a credit card number or password) over the Internet, we protect it through the use of encryption, such as the Transport Layer Security or Secure Socket Layer protocols.

If a password is used to help protect your accounts and personal information, it is your responsibility to keep your password confidential. Do not share it. If you are sharing a computer, you should always log out before leaving a site or service to protect access to your information from subsequent users.

AvePoint has received ISO 27001:2015 certification with respect to secure software development and maintenance process including support business functions like Infosec, IT, HR, Sales and Marketing, Project Management, Operations and Call Center.

For more information about Data Protection, Privacy and Security at AvePoint, please visit https://www.avepoint.com/company/trust-center.

12. Where Information is Stored and Processed

Personal information collected on AvePoint sites and services may be stored and processed in the United States or any other country where AvePoint or its affiliates, subsidiaries or service providers maintain facilities. We take steps to ensure that the data we collect under this Privacy Notice is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located.

AvePoint may retain your personal information for a variety of reasons, such as to comply with our legal obligations, resolve disputes, enforce our agreements, and as long as necessary to provide services. To learn how to access your personal information, visit section 5 (Accessing And Updating Your Personal Information).

13. How Can I Contact AvePoint Or Exercise My Data Subject Rights?

If you have a technical or general support question, please visit https://www.avepoint.com/ to learn more about AvePoint’s support offerings.

If you have a general privacy question, or a question with regard to this Privacy Notice, or to exercise your data subject rights under applicable data protection laws, you may contact AvePoint:

• by e-mail to: privacy@avepoint.com;
• by mail to: AvePoint, Inc., River Front Plaza, West Tower, 901 East Byrd Street, Suite 900, Richmond, VA, Attn: Office of the General Counsel.
• by telephone: 1-888-995-1342 (United States)

You may contact our Data Protection Officer at privacy@avepoint.com.

If you are a resident of Singapore, please see Section 8 above for further information about your privacy rights.

To find the AvePoint subsidiary in your country or region, see https://www.avepoint.com/about/contact/.

14. Changes to Our Privacy Notice

We will occasionally update this Privacy Notice to reflect customer feedback and changes in our services. When we post changes to the Privacy Notice, we will revise the "Revision History” below. If there are material changes to the Privacy Notice regarding how AvePoint will use your personal information, we will notify you either by prominently posting a notice of such changes before they take effect or by directly sending you a notification. We encourage you to periodically review the Privacy Notice to learn how AvePoint is protecting your information when using our products and services.

Revision History