Postman privacy policy

Last Updated October 2024

Previous Versions

Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you. This policy is intended to help you understand:

• What information we collect about you
• How we use information we collect
• How we share information we collect
• How we store and secure information we collect
• How to access and control your information
• How we transfer information we collect internationally
• Other important privacy information

This privacy policy covers the information relating to you that we may collect, use, share, and process when you use the Postman software and services, contact us, or otherwise interact with us (for example, by visiting our premises, attending our events or communicating with us, including by filling out forms on our websites), unless a different policy is displayed. For the purposes of this privacy policy, and unless otherwise noted, “Postman”, “we” and “us” refer to Postman, Inc. (our U.S. entity) and any of our affiliates and subsidiaries, and the term "websites" shall refer collectively to www.postman.com as well as the other websites that Postman operates and that link to this privacy policy. We refer to the Postman software and services including any Beta Previews, together with our websites, as "Services" in this policy. Your “information” is also known as “personal data” or “personal information” depending on the jurisdiction.

This policy also explains your choices about —

• How we use information about you;
• How you can object to certain uses of information about you; and
• How you can access, update, and request deletion of certain information about you.

By using our Services or otherwise interacting with our business, you acknowledge that you understand and agree to the terms of this Policy. If you do not agree with this Policy, do not use our Services.

Where we provide the Services under contract with an organization (for example your employer), that organization controls the information processed by the Services, and the contract may require us to process the information pursuant to the organization's instructions instead of pursuant to this Privacy Policy. This Privacy Policy does not apply to personal information we handle in our capacity as an employer.

We collect information about you when you provide it to us, when you use our Services, and when other sources provide it to us, as further described below. We will collect, use, store and/or process this information only for the purposes listed in this policy or to contact you with information about Postman and its offerings.

Information you provide to us

We collect information about you when you input it into the Services or otherwise provide it directly to us.

Account and Profile Information: We collect information about you when you create a Postman account, create or modify your profile or your team profile settings, set preferences, or sign-up for or make purchases through the Services. For example, if you create a Postman account, we require you to provide a username and password. Your username is public, and it doesn't have to be related to your real name. You may provide your contact information and, in some cases, billing information, when you register for the Services. You also have the option of adding a profile photo and other details to your profile information to be displayed in our Services. We also store your account preferences and settings.

Content you provide through our Services: The Services include the Postman products you use to create, store, send, receive and share the API software and other User-Generated Content or "content" (as defined in the Terms of Service) you create. We collect and store this content, which may include any information about you that you choose to upload or store in our Services. We also collect feedback you provide directly to us through the Services,

Content you provide through our websites: The Services also include certain websites owned or operated by us. We collect content that you submit through these websites, including social media or social networking websites operated by us. For example, you provide content to us when you participate or provide feedback through any interactive features (including commenting on blogs), surveys, contests, promotions, activities, webinars, meetups, or events. You also provide content that you enter on our websites or send to us electronically, for example, when completing a web form (such as on our "Contact Us" webpage), requesting information (such as a product demo), registering for a webinar or other event, or subscribing to email lists or updates notifications. While the type of data we collect depends on the nature of the inquiry, we typically request name and contact details, company information, and phone number. We also automatically collect certain information relating to your use of our websites, described under the Cookies and Other Tracking Technologies section below and Cookie Notice.

Information you provide through our support channels: Our Services also include customer support, where you may choose to submit a request or information regarding a problem you are experiencing with a Service. Whether you designate yourself as an account administrator or billing contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and documentation, screenshots, or other information that you decide would be helpful in resolving the issue.

Payment Information: We collect payment and billing information when you register for certain paid Services. For example, we may ask you to designate a billing representative, including name and contact information, upon registration. You might also provide payment information, such as payment card details, which is collected and processed through external secure payment processing services.

Information we collect automatically when you use the Services

We collect information about you when you use our Services, including when you browse our websites and take certain actions within the Services.

Your use of the Services: We keep track of certain information about you when you visit and interact with any of our Services. This information includes the features you use, the links you click on, and your interactions with others on the Services. We may also collect information about the teams and people you work with and how you work with them, including, for example, who you collaborate with most frequently.

Device and Connection Information: We collect information about the computer, phone, tablet, or other devices you use to access our Services. Such device information includes your connection type and device settings when you install, access, update, or use the Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference to approximate your location to provide you with a better Service experience. The volume and type of information we collect depends on your device settings and the type of device you use to access the Services.

Cookies and Other Tracking Technologies: Postman and our third-party partners use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices. For more information about our use of such technologies and how you can control or opt out of certain cookies, please see our Cookie Notice.

Information we receive from other sources

We receive information about you from other Service users, from third-party services, from our social media platforms, public databases, and from our business and channel partners. We may combine this information with information we collect through other means described above. This helps us to update and improve our records, identify new customers, create more personalized advertising and suggest services that may be of interest to you.

Other users of the Services: Other users of our Services may provide information about you when they submit content through the Services. For example, you may be mentioned in a support ticket opened by someone else. We also receive your email address from other Service users when they provide it to invite you to the Services. Similarly, an administrator may provide your contact information when they designate you as an additional administrator or the billing admin on your company's account.

Other services you link to your account: We receive information about you when you or your administrator integrate or link a third-party service with our Services. For example, if you create an account or log into the Services using your Google credentials, we receive your name and email address as permitted by your Google profile settings to authenticate you. You or your administrator may also integrate our Services with other services you use, such as to allow you to access, store, share and edit certain content from a third-party through our Services. The information we receive when you link or integrate our Services with a third-party service depends on the settings, permissions and privacy policy controlled by that third-party service. You should always check the privacy settings and notices in these third-party services to understand what data may be disclosed to us or shared with our Services. Postman's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Postman Partners: We work with a variety of Resellers who provide purchasing and related services around the Postman Services. We receive information from these resellers, such as billing information, billing and admin contact information, company name, what Postman Services have previously been purchased or that may be of interest to you, and your country location.

Other Partners: We receive aggregated and non-aggregated information about users' activities on and off the Services from third-party partners, such as advertising and market research partners who provide us with information about users' interests in and engagement with our Services and online advertisements.

Information we do not collect

Personal Information: Although we may receive it, we do not intentionally collect personal information that you upload or store in your Postman workspace or any of your content. Any personal information within a user's workspace or content is the responsibility of the workspace owner.

Sensitive Personal Data: We do not intentionally collect "Sensitive Personal Information" (also known as “special category data”) such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data (including for uniquely identifying a natural person), health and medical data associated with a natural person, or information concerning a natural person's sex life or sexual orientation. If you choose to store any Sensitive Personal Information on our servers, you are responsible for complying with any regulatory controls regarding that data.

Children: If you are a child under the age of 13, you may not have a Postman account. Postman does not knowingly collect information from or direct any of our content specifically to children under 13. If we learn or have reason to suspect that you are a user who is under the age of 13, we will close your account. We don't want to discourage you from working with APIs, but those are the rules. Please see the Postman Terms of Service for information about account termination. Different countries may have different minimum age limits, and if you are below the minimum age for providing consent for data collection in your country, you may not have a Postman account.

How we use and disclose the information we collect depends in part on which Services you use, how you use them, any preferences you have communicated to us, your relationship with us, and applicable law. Below are the purposes for which we use and disclose the information, grouped by the legal basis for those uses and disclosures under relevant European law (where applicable).

We use and disclose information for our legitimate business interests:

• To provide customer support. We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Service.
• To conduct research and development. We are always looking for ways to make our Services smarter, faster, more secure, integrated, and useful to you. We use information and collective learnings (including feedback and surveys) about how people use our Services to troubleshoot, to identify trends, usage, activity patterns and areas for integration, to improve our Services and to develop new products, features and technologies that benefit our users and the public. We also test and analyze certain new features with some users before rolling the feature out to all users. If you or your admin, as appropriate, agree, we may also use information you provide to develop artificial intelligence (AI) tools and systems as set forth in our Postman AI Terms.
• To communicate with you about the Services. We use your contact information to send transactional communications via email and within the Services, including to confirm your purchases, remind you of subscription expirations, respond to your comments, questions, and requests, provide customer support, and send you technical notices, updates, security alerts, and administrative messages. We also send you communications as you onboard to a particular Service to help you become more proficient in using that Service.
• To market, promote and drive engagement with the Services. We use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you. Such communications may be made by email, and through Postman ads on other companies' websites, applications, and platforms like LinkedIn and Google. These communications, which aid to drive engagement and maximize the Services we offer to you, include timely information about new features, survey requests, newsletters, and events that we think may be of interest to you. We also may engage in these activities on the basis of your consent.
• To increase safety and security: We use information about you and the Services you use to verify accounts and activity, as part of an effort to prevent, detect, and respond to potential or actual security incidents, and to monitor and protect against other malicious, deceptive, fraudulent, or illegal activity, including violations of our Terms of Services
• To protect our legal rights, our interests, or the interests of others, and to otherwise address legal and compliance matters.
• To facilitate the acquisition, merger, or sale of our business, or similar transactions.

We use and disclose information to further our customers' legitimate interest in using our Services.

We use and disclose information to comply with our legal obligations.

We use and disclose information on the basis of your consent to:

• Engage in certain marketing activities, including certain direct marketing (but we also sometimes engage in these activities on the basis of our legitimate interests in conducting the activities).
• Publish testimonials or featured customer stories to promote the Services.

If you opened an account with us in your personal capacity (i.e., your own account that is not part of your employer's account), then when we process your information to provide our Service to you (for example, to provide contracted support), we typically do so on the basis that such processing is necessary for us to comply with our contractual obligations to you.

When we process personal information in our capacity as a "processor" for our customer, the customer is responsible for establishing its own legal basis for our processing on their behalf, and the descriptions above do not apply.

The bolded legal basis information above is based on our activities that are subject to the EU General Data Protection Regulation (GDPR) and similar European law. Where a different legal framework applies, the legal bases for the activities described above may differ. For example, the list of processing activities based on consent may be different from the above.

Postman's products are collaboration tools, which provide a way to share information through the Services and with certain third parties, as described more fully below. We are not in the business of selling information about you to advertisers or other third parties. We do not sell information that directly identifies you (like name and contact info) to outside parties (visitor information, however, including information collected via cookies and other technology, may be provided to other parties for marketing, advertising, or other uses). We may share information with trusted third parties who assist us in operating our websites, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others' rights, property, or safety, or in other circumstances described below.

Sharing with other Service users

When you use the Services, we share certain information about you with other Service users.

For collaboration: You may grant permission to others to see, share, edit, copy and download the content you create on our platform, which may contain information about you, based on settings you or your account administrator (if applicable) select.

Managed accounts and administrators: If you register or access the Services using an email address with a domain that is owned by your employer or organization, or otherwise associate that email address with your existing account, certain information about you including your name, profile picture, contact info, content and past use of your account may become accessible to that organization's account administrator and other Service users sharing the same domain. If you are an administrator for a particular site or group of users within the Services, we may share your contact information with current or past Service users for the purpose of facilitating Service-related requests.

Community Forums: Our websites offer publicly accessible blogs, forums, issue trackers, and wikis like Postman Community. You should be aware that any information you post on such sites —including profile information associated with the account used to post the information—may be read, collected, and used by any member of the public who accesses the site, and those posts and profile information may remain on such sites even after you delete your account. We urge you to consider the sensitivity of any information you input into these forums. To request removal of your information from publicly accessible websites operated by us, please contact us through the contact information provided below. We will make every effort to remove your information, and will otherwise let you know if we cannot.

Sharing with third parties

We share information with third parties that help us operate, provide, improve, integrate, customize, support and market our Services.

Service Providers and Vendors: We work with third-party service providers and vendors to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analytic and other services for us, which may require them to access or use user information. If a service provider or vendor needs to access user information to perform services on our behalf, it does so pursuant to strict instructions from us, including following security and confidentiality requirements designed to protect your information.

Third-Party Apps: You, your administrator or other Service users may choose to add new functionality or change the behavior of the Services by enabling integrations with third party applications (apps) within the Services. Doing so may give third-party apps access to your account and information about you like your name and email address, and any content you choose to use in connection with those apps. If you are an administrator on an account, you may permit us to share your details with the third-party app provider upon installation. Third-party app policies and procedures are not controlled by us, and this privacy policy does not cover how third-party apps use your information. We encourage you to review the privacy policies of third parties before connecting to or using their applications or services to learn more about their privacy and information handling practices. If you object to information about you being shared with these third parties, please uninstall the app or delete the third-party app integration, as applicable, and discontinue its use.

Links to Third Party Sites: The Services may include links that direct you to other websites or services whose privacy practices may differ from ours. If you submit information to any of those third-party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.

Third-Party Widgets: Some of our Services may contain widgets and social media features, such as the Twitter "tweet" button. These widgets and features collect your IP address, which page you are visiting on the Services, and may set a cookie to enable the feature to function properly or for other purposes. Widgets and social media features are either hosted by a third party or hosted directly on our Services. Your interactions with these features are governed by the privacy policies and practices of the company providing it.

Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights: In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (b) enforce our agreements, policies and terms of service; (c) protect the security or integrity of our Services; (d) protect Postman, our customers or the public from harm or illegal activities; or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.

Sharing with affiliated companies

Postman companies: We share information we have about you with other Postman corporate affiliates to operate and improve products and services subject to appropriate data transfer agreements.

Business transfers: We may share or transfer information we collect under this privacy policy in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. You will be notified via email and/or through a prominent notice on the Services if a transaction takes place, as well as any choices you may have regarding your information.

Access to private workspaces

If your workspace is private, you control the access to your Content. If your workspace content includes personal information or Sensitive Personal Information, that information is accessible to Postman in accordance with this Privacy Policy. Postman personnel do not access private workspace content except for:

• security purposes
• to assist the workspace owner with a support matter
• to maintain the integrity of the Service
• to comply with our legal obligations
• if we have reason to believe the contents are in violation of the law, or
• with your consent.

However, while we do not generally search for content in your workspaces, we may scan our servers and content to detect certain tokens or security signatures, known active malware, known vulnerabilities in dependencies, or other content known to violate the Postman Terms of Service.

Access to public workspaces

If you make your workspace public, anyone may view its contents. If you include personal information, Sensitive Personal Information, or confidential information, such as email addresses or passwords, in your public workspace, that information may be indexed by search engines or used by unknown third parties. You are responsible for complying with any regulatory controls regarding that data.

Public information on Postman

Many of Postman's services and features are, or can be made, public. If you choose to make any of your user-generated content public, or post issues, comments, or contributions to other users' public workspaces, third parties may access and use it, including by viewing your workspace and profile, or "forking" your APIs, collections, environments, mocks, monitors, and other linked entities. We do not sell that content; it is yours. However, any content made public will be publicly accessible through the internet and may be crawled and indexed by search engines.

Your personal information associated with content you make public could be accessed by third parties. If you do not want your personal information to be accessed by third parties, please do not make your personal information available publicly and be sure to configure your email address to "private" in your user profile and in your settings.

If you would like to access other users' content that is available in public workspaces on Postman, you must comply with the Terms of Service, including restrictions regarding information usage and privacy, and you may only use any public-facing user personal information you gather for the purpose for which our user authorized it. For example, where a Postman user has made an email address public-facing for the purpose of identification and attribution, do not use that email address for the purposes of sending unsolicited emails to users or selling user personal information, such as to recruiters, headhunters, and job boards, or for commercial advertising. You are responsible for securing any personal information you have access to via public workspaces on Postman, and to respond promptly to complaints, removal requests, and "do not contact" requests from Postman and from Postman users.

Similarly, APIs, collections, environments, mocks, monitors, and other linked entities in public workspaces on Postman may include publicly available user personal information collected as part of the collaborative process. If you have a complaint about any user personal information on Postman, please contact us at help@postman.com.

Teams

You may indicate, through your actions on Postman, that you are willing to share your user personal information. If you collaborate on or become a member of a team, then the team's account owners may be able to see certain of your user personal information. If you accept an invitation to a team with a verified domain, then the owners of that team will be able to see your full email address(es) within that team's verified domain(s).

Your team's account owner(s) can provide you with more information about how they process your team users' personal information and the ways for you to access, update, alter, or delete the user personal information stored in the Account.

Please note, however, that Postman may share your username, usage information, and device information with the owner(s) of your team to help investigate or respond to a security incident or to otherwise protect the interests of the particular team or Postman.

Information storage and security

We use industry standard technical and organizational measures to secure the information we store. For more information on where and how we store your information, please see Security at Postman.

Although our security safeguards are designed to protect your information, no security system is impenetrable and, due to the inherent nature of the Internet, we cannot guarantee that data transiting the Internet or stored on our systems is absolutely safe from intruders.

How long we keep information

How long we keep information about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will store your information and isolate it from some or all further use until deletion is possible.

Account information: We retain your account information for as long as your account is active and up to 15 days thereafter. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services.

Information you share on the Services: If your account is deleted, some of your information and content may remain on our Services to allow your team members or other users to make full use of the Services.

Managed accounts: If the Services are made available to you through an organization (e.g., your employer), we retain your information as long as required by the administrator of your account. For more information, see "Managed accounts and administrators" above.

Marketing information: If you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time after the date you last expressed interest in our Services, i.e., since you last opened an email from us or used your Postman account. We also retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.

You have certain choices available to you when it comes to your information. Below is a summary of those choices and how to exercise them.

Communications and Cookies:

Opt-out of communications: You may opt out of receiving promotional emails from us by using the unsubscribe link within each email, or by contacting us as provided at the end of this Privacy Policy to have your contact information removed from our promotional email list or registration database. You can opt out of receiving some notification messages (such as monitoring and comment notifications) via your account settings; for more information about that please visit: https://www.postman.com/settings/me/notifications. Even after you opt out of receiving promotional messages from us, you will continue to receive transactional messages from us regarding our Services.

Cookies: See our Cookie Notice for more information about how we use cookies and other choices you have. For more information about certain cookie-related practices and to understand some related options, please visit: https://youradchoices.com/, https://optout.networkadvertising.org/ and https://www.youronlinechoices.com/. Even if you use a cookie-based opt-out, you will still see advertising, but it may be less relevant to you, or it may be personalized for you based only on a smaller set of data. You must opt out on each device and each browser where you want your choice to apply. Your preference may be lost if you clear, or your browser is set to clear, cookies.

Your Choices in the Services:

Our Services have features that let users manage certain kinds of Service-related personal information records. These are described in this “Your Choices in the Services” section. But note:

• These features apply only to certain records of information in the Services (such as the content of a profile page) but do not necessarily involve or affect other records Postman may hold of the same information (such as on our accounting team's internal records of payments received from with you).
• For options that go beyond these Service features, see the next section (“Your Rights”).
• For personal information about you that we handle pursuant to a contract with our customer that designates us as the customer's "processor," it is fastest for you to contact the customer with your request if you cannot address it using the self-service options below. Note that the customer may still have the ability to restore or retain a copy of certain data or accounts that you have altered or deleted using these Service features.

Access and update your information: Our Services and related documentation (see learning.postman.com)give you the ability to access and update certain records of information about you from within the Service. You can update your profile information within your profile settings.

Change certain information: Our Services and related documentation (see learning.postman.com) give you the ability to correct or rectify certain records of information about you from within the Services.

Delete certain information: Our Services and related documentation (see learning.postman.com) give you the ability to delete certain records of information about you from within the Services. For example, you can remove certain profile information within your profile settings. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.

Delete your account:  If you no longer wish to use our Services, you may delete your Services account in your account settings. Otherwise, please contact your administrator. You may also contact Postman for guidance at help@postman.com.

Disable integration sharing: If you object to information about you being shared with a third-party integration, please disable or remove the integration, or contact your administrator to do so. (You or your administrator would need to contact the third-party service provider directly with any requests you may have regarding the data you sent them through the integration.)

Your Rights:

This section does not apply to any personal information we handle pursuant to a contract with our customer that designates us as the customer's "processor" (i.e., personal information that we handle on behalf of the customer).

If you are a resident of certain locations, such as the European Union, United Kingdom, Switzerland, or California (or if you are a resident of Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia acting in your personal capacity), you have a right to:

• obtain confirmation of whether we hold personal information about them, and/or receive information about our handling of it;
• obtain access to or a copy of their personal information, and in some cases, receive it in a structured, commonly used and machine-readable format, or have it transmitted to a third party in such form (data portability);
• update, correct or delete the information;
• object to, opt-out of and/or restrict certain uses or disclosures of the information;
• withdraw consent previously provided for consent-based handling of information (without affecting the lawfulness of prior use and disclosure of the information).

The rights described above have special conditions or rules in particular locations. For example:

• California and Oregon residents can also request information about the categories of personal information we collect, disclose, or “sell” or “share” for targeted advertising purposes about them.
• Oregon residents can request a list of the specific third parties, other than natural persons, to which we have disclosed personal information.

Opt out of the “sale” of personal information or “sharing” processing of personal information for targeted advertising (for residents of California and residents of Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia acting in their personal capacity).

• Residents of California and residents of Colorado, Connecticut, Montana, Oregon, Texas, Utah, or Virginia acting in their personal capacity have specific rights to opt out of certain processing of their personal information for targeted advertising, under applicable law. Targeted advertising is when we or our partners display ads to you based on your personal information that is collected across different businesses. We and our advertising partners collect certain information from our visitors, such as device identifiers, cookies, advertising IDs, IP addresses and usage activity. We and our ad partners share this information with third parties or combine it with information from other businesses to deliver more relevant (targeted) ads to you and for related advertising activities. We may also share or use hashed contact information for this purpose. This activity is known as “sharing” or processing your personal information for targeted ads under those state laws and may be considered “selling” your personal information under those state laws.
• Residents of those states who would like to opt out of our use or disclosure of information for such purposes can follow the steps at "Your Privacy Choices". Note, if you use a cookie blocker such as Ghostery, it may block visibility of this tool or link, including in your web footer.
• If you have enabled a legally recognized browser-based opt out preference signal (such as Global Privacy Control) on your browser, we recognize such preference to the extent required by applicable law.

If you are a Colorado, Connecticut, Oregon, Texas, or Virginia resident, you may appeal the denial of a request by clicking here.

Exceptions:

Almost all of the rights described here are subject to various exceptions under applicable law. Your request and choices may be limited in certain cases, such as if fulfilling your request would reveal information about another person, or if you ask to delete information which we or your administrator are permitted by law or have compelling legitimate interests to keep.

The laws of Colorado, Connecticut, Montana, Oregon, Texas, Utah and Virginia do not provide any of the rights described in this section with respect to personal information that relates to you in your professional/business or employment-related capacity. When we mention residents of those states, we are referring to people acting in their personal/family/household capacity. If you have unresolved concerns, please contact us as described at the end of this Privacy Policy.

Exercising rightsYou can contact us at privacy@postman.com or as described at the end of this Privacy Policy.

Verification of rights requests:We may take reasonable steps to verify your identity before responding to your request, which may include, depending on the sensitivity of the information involved, the nature of our relationship with you, and the type of request you are making, verifying your name, email address, and other information regarding your use of our services.

Requests made by agents: In certain states, you can designate an authorized agent to make a rights request on your behalf. To do so, you or the agent must provide written authorization acceptable to us, for the agent to act on your behalf. You may still need to verify your identity and confirm the agent's authority directly with us if we are not convinced of the validity of the agent's request. For security and legal reasons, we reserve the right to reject requests that require us to visit an agent's website. Because opt-out requests for sales and sharing made through cookies and related technology must be performed from each browser that is used to access our services, it is easiest for the consumer to perform such opt-outs themselves. However, if you wish for an agent to perform browser-based requests on your behalf, you may arrange for the agent to have access to your browser to make such requests, but you may not share your login credentials or logged-in access to our websites with an agent or any other third party. We are not responsible for the security risks of giving an agent browser access or any other arrangements that you may have with an agent.

International transfers of information we collect

We collect information globally and may transfer, process, and store your information outside of your country of residence to countries where we or our third-party service providers (and other recipients mentioned in this Privacy Policy) operate for the purpose of providing you the Services. Postman's primary hosting facilities are in the United States. Whenever we transfer your information, we take steps to protect it.

International transfers within the Postman Companies: To facilitate our global operations, we transfer information globally and allow access to that information from countries in which Postman has operations for the purposes described in this policy. These countries may not have privacy and data protection laws that are equivalent to those in the many of the countries where our customers and users are based.

International transfers to third parties: Some of the third parties described in this privacy policy, which provide services to us under contract, are based in other countries that may not have equivalent privacy and data protection laws to the country in which you reside. When we share information of customers regulated by the data protection laws of the European Economic Area, the UK, or Switzerland, we make use of standard contractual data protection clauses approved by those jurisdictions (Standard Contractual Clauses) or other appropriate legal mechanisms for the transfer.

Please contact us as provided at the end of this Privacy Policy to exercise any right you may have to see the mechanisms used for transfers of your personal data or to make a general privacy-related complaint.

International transfers of information to us

Our customers use various mechanisms for transferring personal information to us, including in some cases the Standard Contractual Clauses.

EU-U.S. Data Privacy Framework (DPF), the UK Extension of the DPF, and the Swiss-U.S. DPF:

Postman, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the DPF (UK DPF Extension), and the Swiss-U.S. Data Privacy Framework (Swiss DPF) as set forth by the U.S. Department of Commerce. Postman, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal information our business customers transfer to Postman, Inc. as "Your Content" (as defined in our Terms of Service) from the European Economic Area and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Postman, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal information our business customers transfer to Postman, Inc. as "Your Content" (as defined in our Terms of Service) from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

As of the date of approval, the following parts of this Privacy Policy are in effect:

• We comply with the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF Principles (collectively "the Principles") with respect to all such data transferred to us in reliance on our certification under the Principles.
• We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to our compliance with the EU-U.S. DPF, UK DPF Extension, and Swiss-U.S. DPF.
• Covered individuals are able to exercise certain choices under the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF regarding how some of their personal information is used and shared, and may access, correct, or delete certain personal information by following the instructions in the "How to access and control your information" section of this Privacy Policy. For other personal information, please contact the Postman Support Center or the customer who transferred the data to us. Because Postman often acts as its customer's "processor" within the meaning of the EEA, UK, and Swiss laws, we often must refer such requests to our customer to handle, consistent with such law.
• In the context of an onward transfer of data, Postman is responsible for the processing of personal information it receives under the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. Postman shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless Postman shows that it is not responsible for the event giving rise to the damage.
• In compliance with the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF, Postman commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal information transferred to Postman, Inc. as "Your Content" (as defined in our Terms of Service) in reliance on the EU-U.S. DPF and the UK DPF Extension, and the Swiss-U.S. DPF should first direct any questions, concerns or complaints to Postman at help@postman.com. We will attempt to answer your questions and satisfy your concerns in a timely and complete manner.
• In compliance with the EU-U.S. DPF and the UK Extension, and the Swiss-U.S. DPF, Postman, Inc. commits to refer unresolved complaints concerning our handling of personal information received in reliance on the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF EU-U.S. to an independent dispute resolution mechanism operated by JAMS, an alternative dispute resolution provider based in the United States. Please contact Postman first at help@postman.com. If we do not respond to your complaint within 45 days, or if after discussing the matter with Postman, Inc., your issue or complaint is not resolved to your satisfaction, please visit JAMS at https://www.jamsadr.com/file-a-dpf-claim for more information or to file a complaint. The services of JAMS are provided at no cost to you.
• In certain circumstances, if your complaint has not been resolved after first raising it with Postman, Inc., following the JAMS procedure above, and taking certain other steps, complaints may be resolved through binding arbitration, as described in Annex I of the Data Privacy Framework.

Notice to End Users

Some of our Service are intended for use by organizations. Where the Services are made available to you through an organization (e.g., your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to your organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different from this policy.

Administrators can:

• terminate your access to the Services; and
• install or uninstall third-party integrations.

If you join a team or contribute to a workspace associated with an organization or team, and you leave that team, that team will still have access to the content you have contributed to the team's workspace. If you would like to request deletion of your contributions or your information from a team workspace of which you were a member, please reach out to the relevant team administrator.

If you are a Postman user who is not a member of a Postman team administered by an organization (e.g., your employer), but you use an email address with a domain associated with an organization (e.g., your employer), the administrator for the organization's team may be able take control of accounts associated with that organization's domain. If an administrator does take control of an account associated with the organization's domain, the account holder associated with such Services will be notified.

Please contact your organization or refer to your administrator's organizational policies for more information, or consider using your personal email address to register for the Services independent of an organization's account.

Disclosures for California Residents

This section applies only to Postman's handling of personal information about California residents under the California Consumer Protection Act ("CCPA"). It does not apply to:

• personal information that we handle as a "service provider" or "processor" on behalf of our customers, such as when you use our Services through your employer. Our processing of such information is governed by our agreements with each customer. We do not control what our customers do with the information we process on their behalf. For information that we process on behalf of a customer, please see the customer's privacy policy or contact that customer for more information and to exercise any rights with regard to such information;
• personal information about people who live outside California;
• "publicly available information" or "deidentified" information (as defined in the CCPA); or
• other information that is exempt from the CCPA.

That other information may be handled differently.

Collection, Use, and Disclosure of California Personal Information

During the 12 months leading up to the effective date of this Privacy Policy, we have collected all of the types of personal information described in the "What information we collect about you" section of this Privacy Policy. During that period, we made the following disclosures of personal information about Californians:

CCPA "Sales" and "Sharing"

The CCPA defines the "sale" of personal information to include selling user data to random third parties for money, like a data broker does—something we have never done. But it also defines "sale" and "sharing" in a broader sense that includes some more common practices. For example, under the CCPA, these terms include the use of certain advertising services, like when we pay an ad tech company to place a cookie on the browser of a visitor to our website so that the user can see an ad for our services on other websites. The ad tech company can see the website visitor's IP address and other browser/device data as part of that process. We've done that over the last year and plan to continue to do so.

CCPA "Sales" and "Sharing" Personal Information of Consumers under the Age of 16 Years

Postman does not “sell” or “share” personal information (as those terms are defined under the CCPA) if we have actual knowledge that the consumer is less than 16 years of age.

Your CCPA Right to Opt Out of "Sale" or "Sharing" of Personal Information

Californians have a right to direct us not to "sell" or "share" certain personal information as those terms are defined in the CCPA. You can also exercise that right by following the steps available through "Your Privacy Choices" form.

Your browser may also offer a way to activate the Global Privacy Control signal (“GPC”). By default, our websites each treat qualifying browsers for which a California user has activated the GPC signal as having opted out of what CCPA calls a "sale" or "sharing" of any California personal information that is collected on that site from that browser using cookies and similar technology. You can override that treatment for a GPC-enabled browser by managing your cookies through the Cookie notice.

You also can contact our support team at help@postman.com to perform the portion of the "sale" or "sharing" opt-out process in which you provide us with contact information.

Opting out of "sales" and "sharing" limits only some types of disclosures of personal information, and there are exceptions to all of the rights described in this section.

In addition to the CCPA rights described here, California residents have additional rights as set out above in How to access and control your information, above.

We do not use or disclose "sensitive personal information" as defined in the CCPA in a manner that requires us to offer a special right to limit our use of this data under the CCPA due to its sensitive nature.

Nondiscrimination

You also have a right not to receive "discriminatory treatment" (within the meaning of the CCPA) for the exercise of the privacy rights conferred by the CCPA.

Our policy towards children

Our Services are not directed to individuals under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact help@postman.com.

Right to Lodge a Complaint with a Supervisory Authority

In general, every individual has a right to lodge a complaint with their local authority, though we invite you to contact us first so that we may do our best to address the matter. If the EU or UK General Data Protection Regulation applies to our processing of your personal data, you have the right to lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR. In the UK, you can lodge a complaint with the UK Information Commissioner's Office.

Changes to our Privacy Policy

We may change this privacy policy from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice through the Services homepages or login screens, or by sending you an email notification. We will also keep prior versions of this privacy policy in an archive for your review upon request. We encourage you to review our privacy policy whenever you use the Services to stay informed about our information practices and the ways you can help protect your privacy.

If you disagree with any changes to this privacy policy, you will need to stop using the Services and delete your account(s), as outlined above.

Contacting Us

If there are any questions or complaints regarding this privacy policy or our handling of personal information, you may contact us using the information below.

help@postman.com

Postman, Inc. or Postdot Technologies UK Ltd.
ATTN: Legal
201 Mission Street, Suite 2375
San Francisco, CA 94105

European Union Representative

We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of personal data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative or via telephone at: +420 228 881 031. Alternatively, VeraSafe can be contacted at:

VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Cork T23AT2P
Ireland

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of personal data. VeraSafe's contact details are:

VeraSafe LLC
100 M Street S.E., Suite 600
Washington, D.C.
20003
USA

Email: experts@verasafe.com
Web: https://www.verasafe.com/about-us/contact-us/

Key Changes

October 2024

1. Inclusion of contact information for Data Protection Officer
2. More information about legal basis for processing personal information
3. Additional detail about rights under U.S. state laws.