LEGAL CENTER

LastPass Global Privacy Policy

Last updated on February 1, 2024
TRUSTeTRUSTeTRUSTe

Table Of Contents:

  1. Who We Are and Scope Of This Privacy Policy
  2. What Personal Data Do We Collect
  3. How We Use Your Data And Legal Basis
  4. Who We Share Your Personal Data With
  5. How Long Do We Process Your Data
  6. Cross Border Data Transfers
  7. Security
  8. Childrens’ Privacy
  9. Your Rights
  10. Changes
  11. Contacting LastPass
  12. European Economic Area, United Kingdom, and Switzerland Supplement
  13. California Supplement

1. Who We Are and Scope Of This Privacy Policy

LastPass is an award-winning password manager and provider of password and identity management solutions (“Services”) that are convenient, easy to manage and effortless to use for individuals and businesses. This Global Privacy Policy (hereinafter “Privacy Policy”) is designed to provide customers, end users, and visitors with important information about the types of personal data LastPass US LP and its affiliates (“LastPass,” “we,” “us,” “our”) collect from or about you and our practices for collecting, using, sharing, or processing of that data. LastPass US LP is based in the United States of America, with affiliates around the world. A complete list of LastPass entities can be found here (within the LastPass Affiliate Disclosure).

This Privacy Policy addresses data collected by LastPass where we act as the controller or business, which includes data collected when you visit our webpage(s); visit our offices; register for or participate in our webinars, whitepapers, or contests; communicate with us; and download, access, or otherwise use our Services. This Privacy Policy does not apply in situations where we process personal data on behalf of our customers as a processor or service provider. If our customer provides you with access to our Services, your use is subject to our customer’s privacy and security practices. For more information relating to our customer’s privacy practices or to exercise your rights, please contact the customer directly.

2. What Personal Data Do We Collect

At LastPass, we strive to limit the types and categories of personal data that is collected from and processed on behalf of our users to include only data which is necessary to achieve the purpose(s) for which it was collected. We do not use personal data for additional purpose(s) which are incompatible with their initial collection. In other words, we have measures and policies in place designed to ensure that we only collect and process data from our users that we believe is necessary to provide them with a world-class Service.

Data We Collect Directly From You

When you visit our website(s), interact with LastPass, or use our Services, you may provide us with the following categories of personal data:

  • Customer Account Data. Your email is needed to validate, create, and use LastPass Services. However, you may also choose to provide identifiers such as first and last name or phone number to help maintain and support your account. Members of a LastPass Families Plan may also provide emails and names of other authorized users.
    • A Note Regarding Your Mobile Phone Number. You may provide us with your mobile phone number if you set up two-factor authentication and/or opt-in to our SMS account recovery feature. By opting in to SMS account recovery, you consent to receiving autodialed text messages, including SMS messages, that may be sent by or on behalf of LastPass at the mobile phone number you provide us. Message and data rates may apply.
    • A Note Regarding Your Master Password. Except for those LastPass Business accounts which utilize alternative authentication methods (e.g., Single Sign On or “SSO”) to access LastPass, users must create a “Master Password,” which is used to access their LastPass account and generate the encryption keys that secure the data they store within the LastPass Service (“Customer Content” as further defined below). LastPass is designed to keep your most sensitive data safe using a local-only, zero knowledge security model. This means that no one at LastPass has access to your master password or the data stored in your vault, except you. Vault data is encrypted locally at the device level before syncing to LastPass servers for safe storage – users can only decrypt their vault using their own unique decryption key derived from their master password.
  • Billing Data. LastPass utilizes third-party payment processing providers to process payments made through our websites. Where required for regulatory, legal, tax compliance, or customer support purposes, we store partial payment information (such as the expiration date and last four digits of your credit card). Data that is maintained by our payment processors such as name, address, and phone number associated with a payment method may be accessed only by select individuals with role-based access, in a secure manner, under appropriate confidentiality obligations, and a legitimate need to know. LastPass does not maintain your complete credit card numbers, payment data or otherwise receive or store any billing data where payment is made for a LastPass subscription through the Google Play or Apple App Store.
  • Customer Content. Usernames, passwords, secure notes, files, documents, or similar data that we maintain on your behalf, as well as any other information you may choose to upload or input (e.g., manually such as images, audio, or other information or via optional functionality such as password save and fill) to your LastPass account in connection with your use of the Services, all of which is referred to as “Customer Content” in our terms of service. This data is encrypted within your vault using our zero knowledge security model.
  • Webinars, Trainings, Contests, and Program Data. Data you provide to us when you create an account; request support or technical assistance; or register for any of our events, contests, webinars, whitepapers and surveys. This typically includes, but is not necessarily limited to, identifiers and employer information, such as, first and last name, a valid email address, company name, job title, phone number, and location.
  • Support and Correspondence. Data you provide to us when you communicate with us by email, posts to social media pages, or another method. We process this data to respond to you and in the normal course of our business operations. You may also provide audio or video data when we record sales or support calls.
  • Feedback. Where you elect to provide us with feedback, which may include, but is not limited to, reviews or suggestions posted online (e.g., in social channels or review sites,) on app stores, made in connection with surveys, market research, etc., we may use any applicable personal data provided with the feedback to respond to you. We may also use feedback as described in the Terms of Service.

Data Automatically Collected When Using Our Websites Or Services

  • Device and Usage Data (including Session, Location, and Usage data). When you visit our websites and use our Services, we receive data that you or others voluntarily enter, as well as data that is automatically logged by the website or Service (for example, hardware, equipment and devices used, IP addresses, location, language settings, operating system used, unique device identifiers, and other diagnostic, troubleshooting, crash, and bug reporting data). We utilize this data to provide, operate, support the use of, and improve our Services. We collect location-based data for the purpose of providing, operating, and supporting the Service and for fraud prevention, export compliance and security monitoring. (You can disable location data transmission on mobile devices at any time by disabling location services from the settings menu on your device.)
  • Cookies and Similar Technologies. Where applicable, if we are permitted to place cookies or contact you for marketing purposes, we may also use your personal data for purposes that are consistent and compatible with the original purpose of collection under the same legal basis or where your consent has been given. Please refer to our Cookie Notice for more information. We may also contact you where we have a legitimate business purpose to do so (e.g., if you are a current subscriber to one of our Services). Note that we have made it easy for you to opt-out of receiving further marketing communications from LastPass at any time by visiting https://lp.lastpass.com/LastPass-Unsubscribe.html.

Data We Collect From Other Sources

  • Social Media Integrations. Many of our websites include optional social media integrations and features, such as Facebook, Google, and Twitter “share” buttons. If you use these features, they may collect your IP address or data about which page you are visiting on our site and may set a cookie to enable the feature to function properly. If you use these services, integrations, and features to authenticate your identity or pre-populate our sign-up or feedback forms, you direct these services to provide certain personal data with us such as your name and email address. You may be able to determine what you authorize those services provide us via your privacy settings of that service.
  • Third-Party Sources. In some circumstances, we work with third-party partners and service providers that provide us with data about you. We also collect publicly available data about you from other third-party sources. This data from third-party sources includes identity breach monitoring data (e.g., for dark web monitoring) and other information that may help us detect potential fraud, or information to identify leads and prospects for marketing purposes. This data may contain personal data such as personal identifiers, professional or employment-related information, business contact information, internet activity information, social media profiles, LinkedIn URLs, and custom profiles. We may combine this third-party sourced data with personal data provided by you to draw inferences or make assumptions.

3. How We Use Your Data and Legal Basis

LastPass processes personal data for the following purposes and relying on the associated legal basis:

Purpose Description Legal Basis for Processing
LastPass Services
Provide, operate, and support our Services We process your personal data to administer our Services and meet our obligations under the applicable Terms of Use and Service options you request Necessary for the performance of a contract or our legitimate interest to operate our Services
Account management We process your personal data to manage customer accounts, process payments, manage our relationship with you, and send you administrative and product notifications about the Services Necessary for the performance of a contract or legitimate interest to manage customer accounts
Address and respond to service, security, and customer support, and technical issues We process your personal data if you contact us for support, to assist with responding to your inquiries and use of the Services, and to address technical or security issues Necessary for the performance of a contract or legitimate interest to fulfill your requests and ensure Services meet customer expectations
Improve our Services and enhance security of our users We process your personal data to identify usage trends and issues in order to optimize and improve the performance of our Services and research security threats and vulnerabilities to provide analysis and valuable insights back to our users Necessary for the performance of a contract or our legitimate interest to provide our Services and ensure our Services meet our customer expectations
Maintain security, regulatory compliance, and to prevent fraud We process your personal data to detect, prevent, or otherwise address fraud, unlawful activities, comply with applicable law, or to address security issues Our legitimate interest to protect the integrity of the Services, LastPass, and its users
Planning and product development We process your personal data to conduct research and analysis for internal reporting and business modeling to plan for future product features and forecast business goals Our legitimate interest in the management of our business operations
Websites and LastPass-branded sites
Maintain and improve our websites We process your personal data to operate, improve, and enhance our websites and provide you with information you access and request Our legitimate interest in providing a functioning online experience and content to our customers and prospective customers regarding our Services and related information.
Maintain security We process your personal data to detect, prevent, or otherwise address security issues or unlawful activity on our websites Our legitimate interest to protect the integrity of the Services, LastPass, and its users
Manage advertising efforts We process personal data to understand how you use our websites and what you like and dislike to display personalized advertisements and content based upon your interests Our legitimate interest in advertising our Services to the extent you provided your consent, where required by law. To exercise your rights, please refer to Section 9.
Visits to our offices and webinars
Manage participation and attendance of webinars and contests We process your personal data to provision you access to, or allow you to participate in, a webinar, training, whitepaper, or contest Our legitimate interest in providing the webinar, training, contest, or other programming; necessary for performance of a contract; or consent
Register attendees and on-site visitors We process your personal data to register you and, where applicable, to complete associated non-disclosure agreements for security reasons Legitimate interest in protecting our employees, visitors, and information; necessary for performance of a contract; or consent
Other and Communications
Call recordings We process your personal data, including recording calls, for training, quality assurance, and administrative purposes and to improve sales operations and customer engagement Our legitimate interest in maintaining quality customer service and engagement or consent
Identify prospects for marketing purposes Analyze our records to identify prospects as well as their presumed or identified needs or preferences and serve ads and other communications that may be of interest to you Our legitimate interest in identifying prospective business contacts and conduct direct marketing
Promote Services We process your personal data to send you communications about the Services you use as well as marketing information related to your Services, which includes announcements about the Services, product updates, news, or events Our legitimate interest in conducting direct marketing or when you have provided prior consent. To exercise your rights and opt-out, please refer to Section 9.
To comply with applicable laws and administrative requests We process your personal data to comply with applicable laws and administrative or law enforcement requests, protect our rights and the rights of others, and to assert and defend against claims Necessary for compliance with a legal obligation or our legitimate interests of pursuing our legal rights and protecting our interests

LastPass may aggregate or de-identify your personal data in order to minimize the amount of personal data processed and for purposes listed. LastPass maintains such data without attempting to re-identify it.

4. Who We Share Your Personal Data With

We may share your personal data for the following reasons:

  • With our affiliated companies and subsidiaries within the LastPass company group in order to operate our business and provide our services;
  • With third-party service providers (such as IT and security service vendors, website hosting facilities, and email distribution services), contractors, and other third-parties we use to support our business. Such third-parties operate under appropriate confidentiality and data privacy obligations (only for the purposes identified in Section 3, “How We Use Your Data”);
  • With specific partners that resell LastPass Services, to the extent you consent to such sharing (where required by applicable law);
  • If you are provided our Services by a LastPass customer, we may share your personal data with the affiliated customer responsible for your access to the Services to the extent this is necessary for verifying accounts and activity or investigating suspicious activity;
  • With third-party social media networks, advertising networks, so that LastPass can market and advertise on those platforms;
  • At your direction, with separate, specific notice to you, or with your consent;
  • In connection with a merger, divestiture, acquisition, reorganization, restructuring, financing transaction, or sale of all or substantially all of the assets pertaining to a product or business line;
  • To courts or authorities or other third-parties if we believe disclosure is lawful, necessary or appropriate to detect, investigate, prevent, or take action against illegal activities, fraud, or situations regarding the safety or rights of LastPass, our employees, you, or others;
  • To courts or authorities or other third-parties in order to enforce our Terms of Service or other agreements we have with you; and
  • As required by law or administrative order, which includes responding to relevant government or regulatory requests (Please refer to our Government Request Policy for more information).

To learn more about how LastPass protects personal data, to review and execute appropriate data processing addendums (where relevant), or review locations where LastPass may process your Customer Content (including any personal data therein), please visit the LastPass Trust & Privacy Center.

LastPass does not sell your personal data as that term is traditionally understood. However, under some US state laws, certain activities, including the use of third-party cookies may be considered a “sale” of your data. We may also share your personal data with third parties for the purposes of cross-contextual advertising.

LastPass may share or disclose aggregate or anonymized data that does not identify an individual or a household.

5. How Long Do We Process Your Personal Data

We keep your personal data no longer than is needed for the business purposes for which it was collected (as outlined in Section 3) or as necessary to comply with our own legal and regulatory obligations. Unless requested sooner or a shorter retention period is defined, the applicable Technical and Organizational Measures (“TOMs”) documentation designates when your personal data, including your account, LastPass vault (and the Customer Content therein), will be deleted in accordance with our record retention processes. We determine the appropriate retention period based on the length of time we have an ongoing relationship with you and reasonable time after which we may have a legitimate need to reference your personal data to address issues which may arise, whether there is a legal obligation to retain such records, and whether retention is allowed by applicable law.

6. Cross Border Data Transfers

As a global organization, LastPass has international affiliates and subsidiaries, utilizes third-party service providers, and maintains a global infrastructure. Data that we collect and maintain will be transferred to and processed in the United States and other countries around the world. In cases of a transfer to “third countries,” which may be deemed to not provide the same level of data protection required by the European Commission or your applicable jurisdiction, LastPass applies additional safeguards, in accordance with applicable legal requirements, to ensure that the recipient provides an adequate level of data protection. LastPass utilizes, as applicable and required, lawful data transfer mechanisms, such as the Data Privacy Framework (see “Data Privacy Framework Notice” below), Standard Contractual Clauses (inclusive of any variations recognized in other regions of the world), or other appropriate legal mechanisms to safeguard personal data transfers from the European Economic Area, United Kingdom, or Switzerland.

Data Privacy Framework Notice

LastPass complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. LastPass has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. LastPass has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

LastPass is responsible for the processing of personal data it receives under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF and that it subsequently transfers to a third-party acting as an agent on its behalf and in accordance with Section 4 of this Privacy Policy. LastPass complies with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles for all onward transfers of personal data from the EEA, the United Kingdom, and Switzerland – including the onward transfer liability provisions. In certain situations, LastPass may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Please note, your vault data is encrypted locally at the device level before syncing to LastPass servers for safe storage; therefore, no one at LastPass has access to your master password or the data stored in your vault.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, LastPass commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to https://feedback-form.truste.com/watchdog/request, an alternative dispute resolution provider based in the United States. The services of TRUSTe are provided at no cost to you.

For complaints regarding EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF compliance not resolved by any of the other aforementioned mechanisms, you may, under certain conditions described on the DPF website, invoke binding arbitration. The Federal Trade Commission has jurisdiction over LastPass’ compliance with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

APEC Privacy Certifications

LastPass’ privacy practices, as described in this Privacy Policy, comply with the APEC Cross Border Privacy Rules System (“CBPR”). The APEC CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating APEC economies. More information about the APEC framework can be found here.

LastPass’ privacy practices, as described in this Privacy Policy, comply with the APEC Privacy Recognition for Processors (“PRP”) system. The APEC PRP system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC PRP framework can be found here.

7. Security

LastPass has implemented a comprehensive information security program which includes appropriate technical and organizational measures designed to safeguard and protect your data. LastPass has been assessed by, and received validation from, independent third-party auditors against recognized security standards and controls, including SOC2 Type II, SOC3 Type II, ISO 27001, and BSI C5.

Additionally, LastPass uses a combination of geographically distributed hosting providers and facilities to help deliver sufficient service availability, uptime, and redundancy needed to provide our global user base with the best possible user experience.

To learn more about LastPass’ security measures and certifications, please visit the LastPass Trust & Privacy Center.

8. Children’s Privacy

LastPass’ webpages and Services are not intended for children. If you inform us or we otherwise become aware that we have unintentionally received personal data from a minor without a parent’s or guardian’s consent, we will delete this data from our records.

9. Your Rights

Your Rights

Certain jurisdictions impose legal requirements and afford privacy rights with respect to the processing of personal data. Depending on the applicable laws of your jurisdiction and the additional information included in the below regional supplements to this Privacy Policy, your rights may include the right to:

  • Access to your personal data and right to know more about how we process your personal data;
  • Export or transfer your personal data (for information about how to export your account and vault, please visit here);
  • Rectify or correct personal data about you that is inaccurate, incomplete or out-of-date (please visit here to review resources on correction, including revision of save-and-fill credentials directly within your LastPass vault);
  • Erase or delete your personal data (in order to protect the sensitive contents of your LastPass vault from inadvertent deletion, we request you initiate the deletion of your account by following the instructions here);
  • Restrict or limit the processing of personal data;
  • Object to the processing of your personal data;
  • Opt-out of the sale or sharing of your personal data for advertising purposes;
  • Not be subject to automated decision-making, including profiling, resulting in legal or similarly significant effects (please note that automated decision-making does not occur on our websites or in our Services); and
  • Appeal a refusal to act on any of the above-mentioned rights (please see applicable instructions included in the refusal or submit the appeal to privacy@lastpass.com with the subject “Appeal of Consumer Rights Request”).

LastPass will not discriminate against you, deny or provide you with a different quality of service, or charge you differently for exercising any of your privacy rights, as required by applicable law.

Exercising Your Rights

To exercise any of the above-mentioned rights, please submit your request to the LastPass Individual Rights Management Portal, e-mail us at privacy@lastpass.com, or contact us at https://support.lastpass.com, which allows you to make a request online or request a phone call. For security purposes, we will need to verify your identity by matching the identifying information you provide with the personal data we already maintain. At a minimum, we will ask for your name and email address. LastPass will never ask you for your Master Password. We may contact you for additional information that would allow us to reasonably verify your identity or in order to sufficiently respond to your request. The information that we ask you to provide for verification purposes will depend on your prior interactions with us (e.g. if you are a current LastPass user, we may verify your identity through our existing authentication practices) and the sensitivity of the personal data at issue.

We strive to respond to all legitimate privacy requests within one month of receipt, but in any event within the time frames required under applicable law. Depending on the complexity and number of requests we receive, it may take more than a month. If we require more time to process your request, we will let you know.

For your convenience, LastPass users may update their information, change their settings, or exercise some of their rights from within the Services. For more information about exercising your privacy rights, please visit Your Privacy Choices. If you wish to no longer receive marketing communications from us, you can opt-out of marketing emails by clicking on the unsubscribe link on any marketing email you receive or at https://lp.lastpass.com/LastPass-Unsubscribe.html.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, you may also contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Please note that where LastPass processes personal data on behalf of our customer, your use is subject to our customer’s policies and privacy and security practices. If our customer provides you with access to our Services, please submit your requests directly with our customer. If you submit your request to us, we will refer the request to our customer and will honor and support any instructions they provide us with respect to your personal data.

10. Changes

We may update this Privacy Policy from time to time to reflect changes to our personal data handling practices or respond to new legal requirements. If we make any material changes to this Privacy Policy that have a substantive and adverse impact on your privacy, we will provide notice on this website and additionally notify you by email (sent to the e-mail address specified in your account). We encourage you to periodically review this page for the latest information on our privacy practices.

11. Contacting LastPass

If you have any other questions about this Privacy Policy you may contact the LastPass Privacy Team or Data Protection Officer by emailing us at privacy@lastpass.com or write to us via postal mail at: Attn: Data Protection Officer, c/o LastPass Legal, LastPass, 125 High Street, Suite 220, Boston, MA 02210. To reach our Global Customer Support department, you may contact us here.

If you have any difficulties reviewing the contents of this Privacy Policy, you may also contact privacy@lastpass.com if you wish to obtain a copy of this Privacy Policy in an alternative format.

12. European Economic Area, United Kingdom, and Switzerland Supplement

The following information supplements the above Privacy Policy and applies to individuals from the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland.

Data Controller

LastPass Ireland Limited (Ella House, 41.2 Merrion Square, Dublin 2 D02 NP96, Ireland. Data protection officer: privacy@lastpass.com) is the controller for data collected in connection with your use of the Services if you live in the EEA or Switzerland or visits to our offices in the EEA. LastPass UK Ltd (5 New Street Square, London EC4A 3TW, United Kingdom. Data protection officer: privacy@lastpass.com) is the controller for data collected in connection with your use of the Services if you live in the UK or visits to our offices in the UK. For purposes of providing the Services, LastPass Ireland Limited, LastPass UK Ltd, and LastPass US LP (contact information in Section 11) are responsible as joint controllers. The parties have jointly determined the means and purposes of processing.

LastPass US LP is the controller for data collected in connection with visits to our webpages and registration for and participation in our webinars.

For information on how to exercise your privacy rights, please refer to Section 9 of this Privacy Policy. For your convenience, your request will be handled centrally on behalf of the relevant controller.

Legal Basis For Processing Personal Data

We process personal data for the purposes described in Section 3 of this Privacy Policy, which also include the lawful bases.

Your Rights As An EU, UK, or Swiss Data Subject

As a data subject in the EEA, UK, or Switzerland, you have certain rights in relation to our processing of your personal data in accordance with applicable data protection regulations:

  • Right to access (Art. 15 GDPR), right to rectification (Art. 16 GDPR), right to erasure (Art. 17 GDPR), right to restriction (Art. 18 GDPR), right to data portability (Art. 20 GDPR), right to withdraw previously given consent (Art. 7(3) GDPR).
  • Right to object (Art. 21 GDPR). In certain circumstances (e.g., where the legal basis for processing is a legitimate interest or if we are performing direct marketing), you may object to continued processing for those purposes. If you do, we will re-evaluate our legitimate business interests and your data protection interests. We will only continue the processing activity if (i) there are compelling legitimate grounds for the processing that override your interests, rights and freedoms, or (ii) the processing is necessary to establish, enforce or defend legal claims.
  • Right to lodge a complaint. We prefer to resolve any data protection concerns directly with you. However, you have the right to submit a complaint with a competent supervisory authority in the EEA, UK, or Switzerland where you reside, work, or suspect an infringement has occurred. You may find the contact details for the appropriate data protection authority here: https://edpb.europa.eu/about-edpb/about-edpb/members.

If you would like to exercise your rights as a data subject, please refer to Section 9 of this Privacy Policy or submit your request to the LastPass Individual Rights Management Portal. For additional information from the European Commission concerning data protection and your rights, see: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en.

For more information about your rights under the DPF, please refer to Section 6 of this Privacy Policy.

13. California Supplement

The following information applies to California consumers. The California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA”) requires business to provide certain information to consumers. This includes the categories of personal information that we disclose for “business purposes” to affiliates, service providers, partners, or other third parties detailed in Sections 3 and 4 of this Privacy Policy. We disclose the following categories of personal data:

  • Identifiers;
  • Commercial information;
  • Internet activity information;
  • Geolocation data;
  • Audio and visual information;
  • Professional or employment-related information; and
  • Inferences drawn from the categories of information described above.

LastPass does not sell your personal information as that term is traditionally understood. However, under California law, certain activities, including the use of third-party cookies may be considered a “sale” of your data. We may also share your personal data with third parties for the purposes of cross-contextual advertising.

Your Rights As A Californian Resident

As a data subject in California you have certain rights in relation to our processing of your personal data in accordance with the CCPA. These include the right to know and access specific pieces of personal data that we process about you, right to request deletion of your personal data, right to request correction of your personal data, right to opt-out of sharing your personal data for advertising purposes, and right to non-discrimination for the exercise of your privacy rights. If you are a California resident under the age of 18 years old and have a LastPass account, you may ask us to delete your data (please note that LastPass’ websites and Services are not intended for children).

Your browser settings may allow you to restrict or block Cookies that are set by our website (or any other website on the internet). Your browser may include specific information on how to adjust your settings. Some internet browsers may also provide you with the ability to transmit “Do Not Track” signals or turn on Global Privacy Controls. Please see the California Privacy Protection Agency’s website at https://oag.ca.gov/privacy/ccpa for more information on valid Global Privacy Controls. If you would like to opt-out of sharing with other identifiers, please refer to Section 9 of this Privacy Policy.

If you would like to exercise your rights, please refer to Section 9 of this Privacy Policy or submit your request to the LastPass Individual Rights Management Portal.

 

Authorized Agent

You may designate an authorized agent to make a request on your behalf if:

  • The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
  • You sign a written declaration that you authorize the authorized agent to act on your behalf.

If you use an authorized agent to submit a request to exercise your right to access or right to request deletion of your personal data, please have the authorized agent take the following steps in addition to those steps described above:

  • Mail your written declaration authorizing the authorized agent to act on your behalf, certified by a California notary public, to Attn: LastPass Legal Department (Privacy Team), 125 High Street, Suite 220, Boston, MA 02210 with an email cc: to privacy@lastpass.com; and
  • Provide any information we request in our response to your email to verify your identity. The information that we ask you to provide for verification purposes will depend on your prior interactions with us and the sensitivity of the personal data at issue.

If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the California law.

icon-s-light_illustrative_legal-scales-svg

Legal Center

Explore LastPass’ terms of service, privacy policies, and other legal policies and documents.

Go to Legal Center
icon-s-light_illustrative_trust-center-svg

Trust Center

Your single source for the latest security, privacy, compliance, and system performance information.

Visit Trust Center
icon-s-light_illustrative_family-group-svg

About Us

Leading the way in password security and identity management for personal and business digital safety.

Learn about LastPass

Get started with LastPass

LastPass makes it easy to improve employee password habits and endpoint security. See for yourself with a free 14-day trial. No credit card required.