Data Privacy Framework Notice

Last Updated October 25, 2024

Braze, Inc. (“Braze”, “we”, “us”, “our”) complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “Data Privacy Framework”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom and Switzerland, as applicable, to the United States in reliance on the Data Privacy Framework (“Personal Data”). We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have also certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. You can learn more about the Data Privacy Framework program here and you can view our certification here.

Scope of this Notice

Our compliance with the Data Privacy Framework applies to Personal Data that we process as a data controller as described in our Website Privacy Policy, our Candidate Privacy Policy, and our Employee Privacy Policy (each as applicable) (“Controller Personal Data”).

Our compliance with the Data Privacy Framework also applies to Personal Data that we process on behalf of our business customers in the course of providing our services to them (“Customer Personal Data”). As Braze is a customer engagement platform used by businesses for multichannel marketing, the Customer Personal Data that our customers entrust to us for processing includes information about their own customers, including contact information, device information, and information concerning consumer engagement. Braze processes Customer Personal Data to provide our services to our customers and otherwise carry out their instructions.

Purpose of processing

For information on the types of Controller Personal Data we collect, and the purposes for which we collect and use the Controller Personal Data, please see:

Third party transfers

Braze may share Controller Personal Data with third parties under circumstances described in the applicable Privacy Policy. Please see:

We disclose Customer Personal Data to third parties as necessary to deliver the Braze services and pursuant to our agreements with our customers. In the context of an onward transfer, we have responsibility for the processing of Personal Data subsequently transferred to a third party acting as an agent on our behalf. We remain responsible under the EU-U.S. Principles and Swiss-U.S. DPF Principles (together "the Principles") if our agent processes such Personal Data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Individual rights

Individuals have rights in relation to their Personal Data as described in the Principles. Braze offers individuals the opportunity to opt out if their Personal Data is (i) disclosed to a third party who is not acting as an agent to perform tasks on behalf of and under the instruction of Braze, or (ii) used for a purpose that is materially different from the purpose(s) for which it was originally collected. In the event Braze processes any sensitive Personal Data,Braze obtains consent from individuals if such Personal Data is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals.

For Controller Personal Data, please see the applicable Privacy Policy for more information on individuals’ rights to access their Personal Data and limit how it is used and disclosed, and/or complete this form here to exercise individual rights.

For Customer Personal Data, our customers are responsible for processing requests to exercise individual rights, and we suggest that you direct requests to exercise such rights directly to the relevant Braze customer. Alternatively, if you provide the name of the relevant Braze customer, we will refer your request to that customer and support their response to your request as needed.

Inquiries and complaints

If you are in the EU, UK or Switzerland and have an inquiry or complaint regarding our handling of your Personal Data under the Data Privacy Framework, you should first contact Braze by email at privacy@braze.com or by regular mail to Braze, Inc., ATTENTION: General Counsel, Privacy Policy Issues, 63 Madison Building, 28 East 28th Street, 12th Floor, New York, NY 10016, USA.

If Braze cannot resolve your complaint, where required by law, we will cooperate with the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (and the Gibraltar Regulatory Authority) and/or the Swiss Federal Data Protection and Information Commissioner with regard to your unresolved complaint concerning our handling of your Personal Data.

If neither Braze nor the relevant panel can resolve your complaint, you may be able to invoke binding arbitration, in accordance with the Data Privacy Framework requirements, through the Data Privacy Framework Panel. For more information on this option, see Annex I of the Principles.

Enforcement and compelled disclosure

Braze is subject to the investigatory and enforcement powers of the Federal Trade Commission. In addition, Braze may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Changes to this Notice

This Notice may be amended or modified from time to time consistent with the Data Privacy Framework. If there is any conflict between the terms in this Notice and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern.