Privacy Policy for Business

Effective as of November 26, 2025

The protection of personal data is of particular importance to ESET, spol. s r. o., having its registered office at Einsteinova 24, 85101 Bratislava, Slovak Republic, Business Registration Number: 31333532 ("ESET" or "We"). We want to comply with the transparency requirement as prescribed by the EU General Data Protection Regulation ("GDPR"). To achieve this goal, We are publishing this Privacy Policy with the sole purpose of informing you, a person using our services provided in accordance with our Terms of Use for businesses ("You"), about how We process data relating to identified or identifiable natural persons ("Data Subject") in the context of our services as defined below.

This Privacy Policy applies to all ESET products and services regulated by our Terms of Use for Business ("Terms"), and therefore to all ESET products and services included in our standard business subscriptions (except for small business subscriptions) ("Subscription"), to all ESET business accounts and their websites, including ESET PROTECT Hub, ESET Business Account, ESET MSP Administrator and ESET Services HUB ("Account") as well as to all services and features provided by ESET via the Account ("Subscription" and "Account" collectively "Services"). Our Services require the use of our standardized ESET products, which can be either locally installed and/or cloud-based (together as "Product").

The Privacy Policy as mainly concerned with how We process personal data of Data Subjects as a data controller, however, to give You more complete information, We also describe here which data We process in a data processor role in the Categories of Personal Data section. In such cases, our Data Processing Agreement applies.

We may modify this Privacy Policy from time to time at our sole discretion. We will send You an email notification with a link to the Privacy Policy as amended or We will notify You of the amended version via in-app notification or by other electronic means. If You do not agree to or cannot comply with the Privacy Policy as amended, You shall cease to use the affected Services and uninstall the affected Products if applicable. You will be deemed to have acknowledged the Privacy Policy as amended if You continue to use the Services after it becomes effective.

In particular, We would like to inform You about:

•Categories of Personal Data We Process

•Legal Basis for Personal Data Processing,

•Data Sharing and Confidentiality,

•Data Security,

•Your Rights as a Data Subject,

•Our Contact Information.

Categories of Personal Data We Process

To provide our Services, we must process various types of data that may relate to Data Subjects. Depending on the specific Services provided to You and their technical configuration, We may act as a data controller for certain data processing activities and as your data processor for others, in accordance with the GDPR.

Below, we outline the categories of data that can relate to Data Subjects that We may process in connection with our Services, taking into account our role in the specific data processing. Please note that some categories of data are processed only within specific Services and therefore may not be applicable to your particular case.

ESET as a Controller

Subscription and Billing Data. ESET collects and processes your name, email address, information about your Subscription and activation keys, and, if We process your payment, also your address, company affiliation, and payment information to provide the Services included within your Subscription. This data are used to facilitate Subscription activation, delivering activation keys, sending reminders about Subscription expiration and legal communication related to your Subscription, verifying Subscription authenticity, and sending other notifications in accordance with applicable laws. ESET is legally required to retain billing information for 10 years. Subscription-related data will be anonymized in our Subscription system no later than 12 months after your last Subscription expires, however, this data may be processed for a different time period and for different purposes in other internal systems, as described in this Privacy Policy. This includes processing of Subscription-related data together with any legal communication for 3 years after the expiry of your last Subscription for the purpose of establishment, exercise or defense of legal claims.

Account Registration Data. For Account registration and to enable You access to related Services, We may need to process your full name, company name, country of residence, valid email address, phone number, as well as Subscription-related information.

Statistical Data and Telemetry Data. To enhance the security of our infrastructure and to maintain and improve our Products and Services, telemetry information concerning the usage of our Services need to be processed in line with our legitimate interest in making our Services better and safer. They are processed on an aggregated level only and include data such as database performance, health statistics, numbers of managed endpoints, endpoint Operating System, system hardware, system errors, policies, logins, tasks, notifications, managed devices, detections statistics, event processing rates, rule engine statistics, exclusions, etc., as well as HTTP headers.

Technical Support. Contact details, Subscription information, and data provided in your support requests may be necessary for technical support purposes. Depending on the communication channel you select, We may collect your email address, phone number, Subscription information, Product details, and a description of your support case. Additional information may be requested to facilitate our technical support. All data processed for technical support is retained for 4 years.

Marketing Communication. In accordance with relevant laws governing direct marketing, We may use your contact information or our Product communication channels for direct marketing of our Products and Services, consistent with our legitimate interest in promoting our offerings. This use will continue until you unsubscribe from such communication, or until your Subscription-related data is anonymized 12 months following the expiration of your last Subscription.

Your Feedback. Your feedback, answers, or requests can be submitted through our web forms or other communication channels. To follow up, We may need your contact information (such as your email) or other relevant data, depending on the purpose and context of your communication. Data retention periods vary according to the nature or purpose of the communication and are managed in compliance with this Privacy Policy.

Specific Data Processing from Locally Installed Products

•Update and Other Statistics from Locally Installed Products. The data processed includes information about the installation process, device properties, as well as information on the operation and functioning of our Product, such as the platform where the Product is installed, operating system, hardware specifications, installation IDs, Subscription IDs, IP address, MAC address, and Product configuration settings. This data is collected for the purpose of updates, upgrades, maintenance, security, and the development of our Products, Services, and backend infrastructure. It is stored and processed independently from identification data necessary for billing or Subscription records, as its processing does not require identification of our Products' end-users or other Data Subjects. The retention period for this data is up to 4 years.

•ESET LiveGrid® Reputation System in our Anti-Malware Locally-Installed Products. One-way hashes related to infiltrations are processed for the purpose of ESET LiveGrid® Reputation System, which improves the efficiency of our anti-malware Products by comparing scanned files to a database of whitelisted and blacklisted items in the cloud. The end-user of our Product or other Data Subjects are not identified during this process.

•ESET LiveGrid® Feedback System in our Anti-Malware Locally-Installed Products. Suspicious samples and metadata from the wild are collected as part of ESET LiveGrid® Feedback System, which enables ESET to react promptly to your needs and keep us responsive to the latest threats. We are dependent on You sending us:

oInfiltrations such as potential samples of viruses and other malicious programs and suspicious, problematic, potentially unwanted or potentially unsafe objects such as executable files, email messages reported by You as spam or flagged by our Product;

oInformation concerning the use of internet, such as IP address and geographic information, IP packets, URLs and ethernet frames;

oCrash dump files and information contained.

Suspicious samples, filenames, URLs or metadata received as part of this Service may occasionally contain personal data of Data Subjects. We do not specifically seek such personal data, nor do We intent to collect it. Our sole goal in collecting and processing those samples, URLs and related metadata is to provide You and other customers with our Services, including our enhanced antimalware protection.

All data obtained and processed through the ESET LiveGrid® Feedback System is intended to be handled without identifying the end-user of our Product or any other Data Subjects.

•ESET Secure Autentication On-Prem. For the purpose of authentication, provisioning, and the overall functioning of the Product's features You may choose to use, We may require information such as username, telephone number, token name, token ID, other token information, activation URL, Subscription information, phone ID, notification ID, as well as platform information.

Please note that if, within our Services, We process data of a Data Subject who has not accepted our Terms and therefore has not entered into a contract under Art. 6 (1) b) of the GDPR (e.g., your employee, a family member, another person You have authorized to use the Services, or third parties in cases of suspicious sample collection), We process their data based on our legitimate interest under Art. 6 (1) f) of the GDPR. This processing enables us to provide the Services to You as well as to maintain their high quality and security.

ESET as a Processor

This section outlines the categories of data processed in connection with our Services for which We act as your data processor. It applies mainly to our cloud-based Products, which require the collection and processing of data concerning monitored endpoint devices on which our locally installed Products are deployed, as well as your network. The extent of monitoring that is being performed in your infrastructure, as well as the exact data being collected, depend on rules, exclusions, and settings managed by You and your administrators. We will therefore process such data as a data processor based on Data Processing Agreement to be able to provide you with our Services. Such data, along with other Service-related logs, shall be stored in accordance with Logs Retention Policy of a specific cloud-based Product, as detailed in the documentation.

We encourage You to check and review the legislation and legal requirements for data collection and processing in your country while setting up our cloud-based Products. You might be required to notify end-users of managed or monitored endpoint devices or ask for specific permission under certain jurisdictions to perform monitoring activities.

ESET PROTECT

•Managed Endpoint Devices. Management of ESET locally-installed Products requires seat ID and name, Product name, Subscription information, activation and expiration information, hardware and software information concerning managed devices with ESET Product installed. Logs concerning activities of managed ESET Products and devices are collected and available in order to facilitate managing and supervising features and our Services. Other processed information may include information concerning the installation process, including platform on which our Product is installed and information about the operations and functionality of our Products or managed devices, such as hardware fingerprint, installation IDs, Subscription IDs, IP address, MAC address, used email addresses, GPS coordinates of a mobile device or configuration settings of Product.

•Vulnerability & Patch Management. If You choose to use Vulnerability Assessment and Patch Management features, more information will be processed. The information related to the vulnerability name and identifier, severity and impact score for managed devices will be collected and processed for the Vulnerability Assessment. The Patch Management feature also requires the application name, version and vendor, the version of the patch missing on the device and the identifier of the missing patch.

•Cloud Workload Protection. This feature collects and processes primarily two types of logs:  Azure Activity Logs and Microsoft Entra ID, which may include the following personal data from your cloud environment: (i) the IP address of the API request executor and (ii) the identity of the user who executes the request (name, email). Such data from Your cloud environment is processed to detect and respond to potential malicious software or malware running in your VMs or your broader cloud environment and to write indicators in the form of a report status of connectors and tasks and/or to publish events to ESET PROTECT console and/or to OpenXDR.

•ESET Remote Access. This beta feature, if available, enables administrators to remotely access a managed endpoint device via the ESET PROTECT console. Depending on the network setup, data from the endpoint is either transmitted directly between the console (administrator's browser) and the endpoint, or relayed through ESET's servers. In both cases, all information is end-to-end encrypted on a per-session basis. This includes the remote desktop screen, mouse and keyboard activity, clipboard contents (only data copied during the session), file transfers, and chat messages. When relayed through ESET servers, the information is neither stored nor decrypted. IP addresses and routing information are processed to negotiate the connection between the endpoint and the console. If files are transferred, they follow the same encrypted path and are not retained on ESET's servers. For audit purposes, our console records certain metadata related to admin actions, such as the date and time when session starts and ends and whether file was transferred from the endpoint. Additional metadata related to the session will also be collected, such as filenames of the transmitted files, IP addresses, machine names, and usernames. Administrator's actions performed on remote device are neither monitored nor logged. Furthermore, once a console chat feature becomes available for ESET Remote Access, chat transcripts of communications between the administrator and the end-user may also be logged for audit purposes.

ESET Inspect

ESET Inspect collects and processes data from monitored endpoint devices and the network and sends them to the cloud console. As an endpoint detection and response (EDR) type of Product, it is designed for detailed monitoring and anomaly detection. On the endpoints where it is deployed, it collects information on activities and operating system events, including data on all executable modules found on the device, low-level events such as process creation, file modifications, registry modifications, network connections and all detected threats (e.g. malware, PUAs, blocked webpages, etc.). Please note that processed data may contain privacy-sensitive information like the names of all modified files, the command lines for all processes and the URLs of all visited pages.

ESET Secure Authentication

•ESA Cloud console. Our cloud-based console enables You to manage and configure our Services and it also functions as a cloud-based authentication server, processing authentication requests from endpoint devices for which You enabled two-factor authentication. Various categories of data that are necessary for the functioning of our ESET Secure Authentication are being processed there to enable provisions of our Services to You, while the exact data to be processed depend on authentication methods and components You choose to use and other configurations of the Service You make. Cloud console may therefore process data related to your end-users, such as user names and IDs, IP addresses, mobile numbers, email addresses, organizational units as well as data related to your organizational structure (if You choose automatic syncing of your database containing data on your organizational structure with our cloud console, your login credentials for the database might need to be inputted).

•Third Party Services and Integrations. If You choose to integrate ESET Secure Authentication with third-party services and components, We may process additional data necessary for integration and functioning of our Product with such services and components of your choice, e.g. necessary data from Microsoft Exchange Server, Microsoft Dynamic CRM, Identity Provider Connector or RADIUS, data on hardware tokens used by your users (e.g. hard token secret) and data related to your Subscription. To provide you with the reporting functionality as well as with relevant notifications, data related to various events happening in your organization (such as who logged-in, failed logins etc.) as well as about our  Product functioning (such as errors) need to be processed.

•Please note that, depending on the properties of the component You choose to integrate with ESET Secure Authentication, we may have to process also first-factor information used for authentication, usually the end-user's password, but only to forward it to the competent entity for verification. No passwords of end-users who use ESET Secure Authentication for two-factor authentication are stored in our ESA cloud console nor on other ESET servers.

ESET Threat Intelligence

•Sample Analysis. If You choose to submit a sample via the sample submission feature in the ESET Threat Intelligence portal, it will be automatically processed within our automated sample processing and detection systems (i.e. Advanced Machine Learning module, Multiscan, LiveGrid reputation system, Replicators service - Sandbox, Sisyfos). The output will contain results related solely to the sample's behavior. The content of the sample itself will neither be used nor included in the sample analysis output. We operate the sample processing systems used to test the sample behavior, ensuring that your data remains under our control and is not processed by third parties. Samples are stored locally for a period of 30 days, the maximum storage duration is limited to the time necessary to provide You with this feature.

•Early Warning. If you decide to set up YARA rule to utilize the Early Warning feature, for instance, searching, and You include text strings that contain personal data, this data will be used to identify the relevant instances and therefore to provide You with our Early Warning feature. You may delete the rule at any time through the ESET Threat Intelligence portal.

ESET AI Advisor. If you decide to use the ESET AI Advisor, your query, along with relevant data from monitored endpoint devices and network information processed within our cloud-based Product(s), will be transmitted to our generative AI solution running on our private cloud in Azure. Only the essential data required to address your query will be shared with the AI solution, and it will be processed exclusively to deliver the requested Service. ESET manages the AI solution, ensuring that your data remains within our control and is not processed by third parties. Please note, as mentioned above, that processed data may contain privacy sensitive information.

ESET LiveGuard Advanced. If You enable this feature, which may be available in your cloud-based or locally installed Products, any file identified as suspicious by our Product will be sent to ESET servers via ESET LiveGrid® Feedback System for automated analysis. If LiveGuard determines that the file is infected, our Product will initiate the cleaning action and delete the file. If the file is deemed clean, it will be executed normally. Analyzed files will be stored for the period You select in your settings, and logs related to the analysis will be available in your ESET PROTECT console. We will further process files detected by LiveGuard as infected as a data controller, in the same manner as we process suspicious or malicious samples within the ESET LiveGrid® Feedback System described above.

Legal Basis of Personal Data Processing

There are a few legal bases for data processing which We use as a data controller according to the applicable legislative framework related to the protection of personal data. The processing of personal data by ESET is mainly necessary for the performance of the Terms with the Data Subject (Art. 6 (1) (b) GDPR), which is applicable for the provision of ESET Products or Services, unless explicitly stated otherwise, e.g.:

•Legitimate interest legal basis (Art. 6 (1) (f) of the GDPR), that enables us to process data on how You use our Services and your satisfaction to provide You with the best protection, support and experience We can offer. Even marketing might be recognized by applicable legislation as a legitimate interest, therefore, We may rely on it for marketing communication in some cases.

•Consent (Art. 6 (1) (a) of the GDPR), which We may request from You as a Data Subject in specific situations when we deem this legal basis as the most suitable one or if it is required by law.

•Compliance with a legal obligation (Art. 6 (1) (c) of the GDPR), e.g. stipulating requirements for electronic communication, retention for invoicing or billing documents.

Data Sharing and Confidentiality

We do not share your data with third parties. However, ESET is a company that operates globally through affiliated companies or partners as part of our sales, Service and support network. Subscription, billing and technical support information processed by ESET may be transferred to and from affiliates or partners for the purpose of fulfilling the Terms, such as providing Services or support. Moreover, for the purpose of performing Professional and Security Services, we may engage our trusted partners as subcontractors to carry out certain parts of these Services.

ESET prefers to process its data in the European Union (EU). However, depending on your location (use of our Products and/or Services outside the EU) and/or the Service you choose, it may be necessary to transfer your data to a country outside the EU. For example, we use third-party services in connection with cloud computing. In these cases, we carefully select our service providers and ensure an appropriate level of data protection through contractual as well as technical and organizational measures. In compliance with GDPR, We may transfer personal data to third countries only under specific conditions. We ensure that any such transfer is carried out in accordance with the GDPR's strict requirements, aiming to safeguard the rights and freedoms of individuals whose data is being transferred. Before transferring any data outside the European Union (EU) or the European Economic Area (EEA), we assess the adequacy of the recipient country's data protection laws and consider implementing appropriate safeguards, such as:

•We evaluate if the receiving country has an adequate level of data protection, based on the European Commission's assessments.

•We use approved SCCs to contractually bind both parties and ensure that the recipient processes personal data in compliance with GDPR requirements.

•We rely on recognized codes of conduct or certification mechanisms that demonstrate compliance with data protection requirements.

By taking these measures, We ensure that personal data transfers are secure, transparent, and in accordance with the GDPR's principles. For some countries outside the EU, such as the United Kingdom and Switzerland, the EU has already determined a comparable level of data protection. Due to the comparable level of data protection, the transfer of data to these countries does not require any special authorization or agreement.

We rely on third-party services and collaborate with the external processors to provide our Services related to cloud computing, billing, etc.

Data Security

ESET implements appropriate technical and organizational measures to ensure a level of security that corresponds to potential risks. These measures are detailed in our Security Policy and, where available, in individual security policies applicable to specific Products, which can be found in this Product's documentation. We are doing our best to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Services. However, in case of a data breach resulting in a risk to your rights and freedoms, We are ready to notify the relevant supervisory authority as well as affected Data Subjects.

Data Subject’s Rights

The rights of every Data Subject matter and We would like to inform You that all Data Subjects (from any EU or any non-EU country) have the following rights guaranteed by ESET. To exercise your Data Subject's rights, You can contact us via the support form or by using of our contact details below. For identification purposes, We ask You for the following information: Name, e-mail address and - if available - activation key or customer number and company affiliation. Please refrain from sending us any other personal data, such as the date of birth. We would like to point out that to be able to process your request, as well as for identification purposes, we will process your personal data. Please note that in line with the GDPR, this section of the Privacy Policy is applicable only to Data Subjects; accordingly, all references to "You" in this section pertain to Data Subjects only.

Right to Withdraw the Consent. Right to withdraw the consent is applicable in case of processing based on consent only. If We process your personal data on the basis of your consent, You have the right to withdraw the consent at any time without giving reasons. The withdrawal of your consent is only effective for the future and does not affect the legality of the data processed before the withdrawal.

Right to Object. Right to object the processing is applicable in case of processing based on the legitimate interest of ESET or third party. If We process your personal data to protect a legitimate interest, You have the right to object to the legitimate interest named by us and the processing of your personal data at any time. Your objection is only effective for the future and does not affect the lawfulness of the data processed before the objection. If we process your personal data for direct marketing purposes, it is not necessary to give reasons for your objection. This also applies to profiling, insofar as it is connected with such direct marketing. In all other cases, we ask You to briefly inform us about your complaints against the legitimate interest of ESET to process your personal data.

Please note that in some cases, despite your consent withdrawal or your objection processing, We may be entitled to process your personal data on the basis of another legal basis, for example, for the performance of a contract.

Right of Access. You have the right to obtain information about your data processed by ESET free of charge at any time.

Right to Rectification. If we inadvertently process incorrect personal data about You, You have the right to have this corrected.

Right to Erasure. You have the right to request the deletion or restriction of the processing of your personal data. If we process your personal data, for example, with your consent, You withdraw it and there is no other legal basis, for example, a contract, We delete your personal data immediately. Your personal data will also be deleted as soon as they are no longer required for the purposes stated for them at the end of our retention period.

Right to Restriction of Processing. If we use your personal data for the sole purpose of direct marketing and You have revoked your consent or objected to the underlying legitimate interest of ESET, We will restrict the processing of your personal data to the extent that we include your contact data in our internal black list in order to avoid unsolicited contact. Otherwise, your personal data will be deleted.

Please note that We may be required to store your data until the expiry of the retention obligations and periods issued by the legislator or supervisory authorities. Retention obligations and periods may also result from the Slovak legislation. Thereafter, the corresponding data will be routinely deleted.

Right to Data Portability. We are happy to provide You, as a Data Subject, with the personal data processed by ESET in the xls format.

Right to Lodge a Complaint. As a Data Subject, You have a right to lodge a complaint with a supervisory authority at any time. ESET is subject to the regulation of Slovak laws and We are bound by data protection legislation as part of the European Union. The relevant data supervisory authority is the Office for Personal Data Protection of the Slovak Republic, located at Námestie 1. Mája 18, 81106 Bratislava, Slovak Republic.

Our Contact Information

If You would like to exercise your right as a Data Subject or You have a question or concern, please contact us at:

ESET, spol. s r.o.
Data Protection Officer
Einsteinova 24
85101 Bratislava
Slovak Republic