Data Privacy Framework Notice

Last Updated October 23, 2023

Braze, Inc. (“Braze”, “we”, “us”, “our”) complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “Data Privacy Framework”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom and Switzerland, as applicable, to the United States in reliance on the Data Privacy Framework (“Personal Data”). We have certified to the Department of Commerce that we adhere to the Data Privacy Framework Principles (the "Principles"). You can learn more about the Data Privacy Framework program here and you can view our certification here.

Scope of this Notice

Our compliance with the Data Privacy Framework applies to Personal Data that we process as a data controller as described in our Website Privacy Policy, our Candidate Privacy Policy, and our Employee Privacy Policy (each as applicable) (“Controller Personal Data”).

Our compliance with the Data Privacy Framework also applies to Personal Data that we process on behalf of our business customers in the course of providing our services to them (“Customer Personal Data”). As Braze is a customer engagement platform used by businesses for multichannel marketing, the Customer Personal Data that our customers entrust to us for processing includes information about their own customers, including contact information, device information, and information concerning consumer engagement. Braze processes Customer Personal Data to provide our services to our customers and otherwise carry out their instructions.

Purpose of processing

For information on the types of Controller Personal Data we collect, and the purposes for which we collect and use the Controller Personal Data, please see:

• “Data Collection and Use” in the Website Privacy Policy
• “Data Collection and Use” in the Candidate Privacy Policy
• “Data Collection and Use” in the Employee Privacy Policy

Third party transfers

Braze may share Controller Personal Data with third parties under circumstances described in the applicable Privacy Policy. Please see:

• "Sharing and Disclosure of Information to Third Parties" in the Website Privacy Policy
• "Sharing and Disclosure of Personal Data to Third Parties" in the Candidate Privacy Policy
• “Sharing Personal Data” in the Employee Privacy Policy

We disclose Customer Personal Data to third parties as necessary to deliver the Braze services and pursuant to our agreements with our customers. In the context of an onward transfer, we have responsibility for the processing of Personal Data subsequently transferred to a third party acting as an agent on our behalf. We remain responsible under the Principles if our agent processes such Personal Data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Individual rights

Individuals have rights in relation to their Personal Data as described in the Principles. For Controller Personal Data, please see the applicable Privacy Policy for more information on individuals’ rights to access their Personal Data and limit how it is used and disclosed, and/or complete this form here to exercise individual rights.

For Customer Personal Data, our customers are responsible for processing requests to exercise individual rights, and we suggest that you direct requests to exercise such rights directly to the relevant Braze customer. Alternatively, if you provide the name of the relevant Braze customer, we will refer your request to that customer and support their response to your request as needed.

Inquiries and complaints

If you are in the EU, UK or Switzerland and have an inquiry or complaint regarding our handling of your Personal Data under the Data Privacy Framework, you should first contact Braze by email at [email protected] or by regular mail to Braze, Inc., ATTENTION: General Counsel, Privacy Policy Issues, 330 West 34th Street, 18th Floor, New York, NY 10001, USA.

If Braze cannot resolve your complaint, where required by law, we will cooperate with the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office and the Swiss Federal Data Protection and Information Commissioner with regard to your unresolved complaint concerning our handling of your Personal Data.

If neither Braze nor the relevant panel can resolve your complaint, you may be able to invoke binding arbitration, in accordance with the Data Privacy Framework requirements, through the Data Privacy Framework Panel. For more information on this option, see Annex I of the Principles.

Enforcement and compelled disclosure

Braze is subject to the investigatory and enforcement powers of the Federal Trade Commission. In addition, Braze may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Changes to this Notice

This Notice may be amended or modified from time to time consistent with the Data Privacy Framework. If there is any conflict between the terms in this Notice and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern.