Postman privacy policy (archived)

Postmanaut standing in front of scales of justice. Illustration.

Effective October 2023

Previous Versions

What this Privacy Policy covers

Your privacy is important to us, and so is being transparent about how we collect, use, and share information about you. This policy is intended to help you understand:

This privacy policy covers the information relating to you that we may collect, use, share, and process when you use the Postman software and services, contact us, or otherwise interact with us (for example, by visiting our premises, attending our events or communicating with us, including by filling out forms on our websites), unless a different policy is displayed. For the purposes of this privacy policy, and unless otherwise noted, “Postman”, “we” and “us” refer to Postman, Inc. (our U.S. entity) and any of our affiliates and subsidiaries, and the term "websites" shall refer collectively to www.postman.com as well as the other websites that Postman operates and that link to this privacy policy. We refer to the Postman software and services including any Beta Previews, together with our websites, as "Services" in this policy.

This policy also explains your choices about —

  • How we use information about you;
  • How you can object to certain uses of information about you; and
  • How you can access, update, and request deletion of certain information about you.

By using our Services or otherwise interacting with our business, you acknowledge that you understand and agree to the terms of this Policy. If you do not agree with this Policy, do not use our Services.

Where we provide the Services under contract with an organization (for example your employer), that organization controls the information processed by the Services, and the contract may require us to process the information pursuant to the organization's instructions instead of pursuant to this Privacy Policy.

What information we collect about you

We collect information about you when you provide it to us, when you use our Services, and when other sources provide it to us, as further described below. We will collect, use, store and/or process this information only for the purposes listed in this policy or to contact you with information about Postman and its offerings.

Information you provide to us

We collect information about you when you input it into the Services or otherwise provide it directly to us.

Account and Profile Information: We collect information about you when you create a Postman account, create or modify your profile or your team profile settings, set preferences, or sign-up for or make purchases through the Services. For example, if you create a Postman account, we require you to provide a username and password. Your username is public, and it doesn't have to be related to your real name. You may provide your contact information and, in some cases, billing information, when you register for the Services. You also have the option of adding a profile photo and other details to your profile information to be displayed in our Services. We also store your account preferences and settings.

Content you provide through our Services: The Services include the Postman products you use to create, store, send, receive and share the API software and other User-Generated Content or "content" (as defined in the Terms of Service) you create. We collect and store this content, which may include any information about you that you choose to upload or store in our Services. We also collect feedback you provide directly to us through the Services,

Content you provide through our websites: The Services also include certain websites owned or operated by us. We collect content that you submit through these websites, including social media or social networking websites operated by us. For example, you provide content to us when you participate or provide feedback through any interactive features (including commenting on blogs), surveys, contests, promotions, activities, webinars, meetups, or events. You also provide content that you enter on our websites or send to us electronically, for example, when completing a web form (such as on our "Contact Us" webpage), requesting information (such as a product demo), registering for a webinar or other event, or subscribing to email lists or updates notifications. While the type of data we collect depends on the nature of the inquiry, we typically request name and contact details, company information, and phone number. We also automatically collect certain information relating to your use of our websites, described under the Cookies and Other Tracking Technologies section below and Cookie Notice.

Information you provide through our support channels: Our Services also include customer support, where you may choose to submit a request or information regarding a problem you are experiencing with a Service. Whether you designate yourself as an account administrator or billing contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and documentation, screenshots, or other information that you decide would be helpful in resolving the issue.

Payment Information: We collect payment and billing information when you register for certain paid Services. For example, we may ask you to designate a billing representative, including name and contact information, upon registration. You might also provide payment information, such as payment card details, which is collected and processed through external secure payment processing services.

Information we collect automatically when you use the Services

We collect information about you when you use our Services, including when you browse our websites and take certain actions within the Services.

Your use of the Services: We keep track of certain information about you when you visit and interact with any of our Services. This information includes the features you use, the links you click on, and your interactions with others on the Services. We may also collect information about the teams and people you work with and how you work with them, including, for example, who you collaborate with most frequently.

Device and Connection Information: We collect information about the computer, phone, tablet, or other devices you use to access our Services. Such device information includes your connection type and device settings when you install, access, update, or use the Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference to approximate your location to provide you with a better Service experience. The volume and type of information we collect depends on your device settings and the type of device you use to access the Services.

Cookies and Other Tracking Technologies: Postman and our third-party partners use cookies and other tracking technologies (e.g., web beacons, device identifiers and pixels) to provide functionality and to recognize you across different Services and devices. For more information about our use of such technologies and how you can control or opt out of certain cookies, please see our Cookie Notice.

Information we receive from other sources

We receive information about you from other Service users, from third-party services, from our social media platforms, public databases, and from our business and channel partners. We may combine this information with information we collect through other means described above. This helps us to update and improve our records, identify new customers, create more personalized advertising and suggest services that may be of interest to you.

Other users of the Services: Other users of our Services may provide information about you when they submit content through the Services. For example, you may be mentioned in a support ticket opened by someone else. We also receive your email address from other Service users when they provide it to invite you to the Services. Similarly, an administrator may provide your contact information when they designate you as an additional administrator or the billing admin on your company's account.

Other services you link to your account: We receive information about you when you or your administrator integrate or link a third-party service with our Services. For example, if you create an account or log into the Services using your Google credentials, we receive your name and email address as permitted by your Google profile settings to authenticate you. You or your administrator may also integrate our Services with other services you use, such as to allow you to access, store, share and edit certain content from a third-party through our Services. The information we receive when you link or integrate our Services with a third-party service depends on the settings, permissions and privacy policy controlled by that third-party service. You should always check the privacy settings and notices in these third-party services to understand what data may be disclosed to us or shared with our Services. Postman's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Postman Partners: We work with a variety of Resellers who provide purchasing and related services around the Postman Services. We receive information from these resellers, such as billing information, billing and admin contact information, company name, what Postman Services have previously been purchased or that may be of interest to you, and your country location.

Other Partners: We receive aggregated and non-aggregated information about users' activities on and off the Services from third-party partners, such as advertising and market research partners who provide us with information about users' interests in and engagement with our Services and online advertisements.

Information we do not collect

Personal Information: Although we may receive it, we do not intentionally collect personal information that you upload or store in your Postman workspace or any of your content. Any personal information within a user's workspace or content is the responsibility of the workspace owner.

Sensitive Personal Data: We do not intentionally collect "Sensitive Personal Information" such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data (including for uniquely identifying a natural person), health and medical data associated with a natural person, or information concerning a natural person's sex life or sexual orientation. If you choose to store any Sensitive Personal Information on our servers, you are responsible for complying with any regulatory controls regarding that data.

Children: If you are a child under the age of 13, you may not have a Postman account. Postman does not knowingly collect information from or direct any of our content specifically to children under 13. If we learn or have reason to suspect that you are a user who is under the age of 13, we will close your account. We don't want to discourage you from working with APIs, but those are the rules. Please see the Postman Terms of Service for information about account termination. Different countries may have different minimum age limits, and if you are below the minimum age for providing consent for data collection in your country, you may not have a Postman account.

How we use information we collect

How we use the information we collect depends in part on which Services you use, how you use them, and any preferences you have communicated to us. Below are the specific purposes for which we use the information we collect about you.

To provide the Services and personalize your experience: We use information about you to provide the Services to you, including to process transactions with you, authenticate you when you log in, provide customer support, and operate and maintain the Services. For example, we use the name and picture you provide in your account to identify you to other Service users. Our Services also include tailored features that personalize your experience, enhance your productivity, and improve your ability to collaborate effectively with others by automatically analyzing the activities of your team to provide activity feeds and notifications that are relevant for you and your team. We may use your email domain to infer your affiliation with a particular organization or industry to personalize the content and experience you receive on our websites. Where you use multiple Services, we combine information about you and your activities to provide an integrated experience, such as to allow you to find information from one Service while searching from another or to present relevant product information as you travel across our websites.

For research and development: We are always looking for ways to make our Services smarter, faster, more secure, integrated, and useful to you. We use information and collective learnings (including feedback and surveys) about how people use our Services to troubleshoot, to identify trends, usage, activity patterns and areas for integration, to improve our Services and to develop new products, features and technologies that benefit our users and the public. We also test and analyze certain new features with some users before rolling the feature out to all users.

To communicate with you about the Services: We use your contact information to send transactional communications via email and within the Services, including to confirm your purchases, remind you of subscription expirations, respond to your comments, questions, and requests, provide customer support, and send you technical notices, updates, security alerts, and administrative messages. We also send you communications as you onboard to a particular Service to help you become more proficient in using that Service. These communications are part of the Services and in most cases you cannot opt out of them. If an opt out is available, you will find that option within the communication itself or in your account settings.

To market, promote and drive engagement with the Services: We use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you. Such communications may be made by email, and through Postman ads on other companies' websites, applications, and platforms like LinkedIn and Google. These communications, which aid to drive engagement and maximize the Services we offer to you, include timely information about new features, survey requests, newsletters, and events that we think may be of interest to you. You can control whether you receive certain communications as described in the "opt-out of communications" part of the "How to access and control your information" section of our Privacy Policy below.

For Customer support: We use your information to resolve technical issues you encounter, to respond to your requests for assistance, to analyze crash information, and to repair and improve the Services.

For safety and security: We use information about you and the Services you use to verify accounts and activity, to prevent, detect, and respond to potential or actual security incidents, and to monitor and protect against other malicious, deceptive, fraudulent, or illegal activity, including violations of our Terms of Services.

To protect our legitimate business interests and legal rights: Where required by law or where we believe it is necessary to protect our legal rights, our interests, or the interests of others, we use information about you in connection with legal claims, regulatory compliance and inquiries, audit functions, and disclosures in connection with the acquisition, merger, or sale of a business.

With your consent: We use information about you where you have given us consent to do so for a specific purpose not listed above. For example, we may publish testimonials or featured customer stories to promote the Services, with your permission.

Legal basis for processing (for UK/EEA/Swiss users):

If you are an individual in the United Kingdom (UK), European Economic Area (EEA), or Switzerland we collect and process information about you only where we have legal basis for doing so under applicable UK, EEA, and Swiss laws. The legal basis depends on the Services you use and how you use them. This means we collect and use your information only where:

  • We need it to provide you the Services, including to operate the Services, provide customer support and personalized features and to protect the safety and security of the Services;
  • It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;
  • You give us consent to do so for a specific purpose; or
  • We need to process your data to comply with a legal obligation.

If you have consented to our using information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we or a third party (e.g., your employer) have a legitimate interest to do so, you have the right to object to that use though, in some cases, this may limit your ability to use the Services.

When we process personal information in our capacity as a "processor" for our customer, the customer is responsible for establishing the legal basis for the processing.

How we share information we collect

Postman's products are collaboration tools, which provide a way to share information through the Services and with certain third parties, as described more fully below. We are not in the business of selling information about you to advertisers or other third parties. We do not sell information that directly identifies you (like name and contact info) to outside parties (visitor information, however, including information collected via cookies and other technology, may be provided to other parties for marketing, advertising, or other uses). We may share information with trusted third parties who assist us in operating our websites, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others' rights, property, or safety, or in other circumstances described below.

Sharing with other Service users

When you use the Services, we share certain information about you with other Service users.

For collaboration: You may grant permission to others to see, share, edit, copy and download the content you create on our platform, which may contain information about you, based on settings you or your account administrator (if applicable) select.

Managed accounts and administrators: If you register or access the Services using an email address with a domain that is owned by your employer or organization, or otherwise associate that email address with your existing account, certain information about you including your name, profile picture, contact info, content and past use of your account may become accessible to that organization's account administrator and other Service users sharing the same domain. If you are an administrator for a particular site or group of users within the Services, we may share your contact information with current or past Service users for the purpose of facilitating Service-related requests.

Community Forums: Our websites offer publicly accessible blogs, forums, issue trackers, and wikis like Postman Community. You should be aware that any information you post on such sites -- including profile information associated with the account used to post the information -- may be read, collected, and used by any member of the public who accesses the site, and those posts and profile information may remain on such sites even after you delete your account. We urge you to consider the sensitivity of any information you input into these forums. To request removal of your information from publicly accessible websites operated by us, please contact us through the contact information provided below. We will make every effort to remove your information, and will otherwise let you know if we cannot.

Sharing with third parties

We share information with third parties that help us operate, provide, improve, integrate, customize, support and market our Services

Service Providers and Vendors: We work with third-party service providers and vendors to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analytic and other services for us, which may require them to access or use user information. If a service provider or vendor needs to access user information to perform services on our behalf, it does so pursuant to strict instructions from us, including following security and confidentiality requirements designed to protect your information.

Third Party Apps: You, your administrator or other Service users may choose to add new functionality or change the behavior of the Services by enabling integrations with third party applications (apps) within the Services. Doing so may give third-party apps access to your account and information about you like your name and email address, and any content you choose to use in connection with those apps. If you are an administrator on an account, you may permit us to share your details with the third-party app provider upon installation. Third-party app policies and procedures are not controlled by us, and this privacy policy does not cover how third-party apps use your information. We encourage you to review the privacy policies of third parties before connecting to or using their applications or services to learn more about their privacy and information handling practices. If you object to information about you being shared with these third parties, please uninstall the app or delete the third-party app integration, as applicable, and discontinue its use.

Links to Third Party Sites: The Services may include links that direct you to other websites or services whose privacy practices may differ from ours. If you submit information to any of those third-party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.

Third-Party Widgets: Some of our Services may contain widgets and social media features, such as the Twitter "tweet" button. These widgets and features collect your IP address, which page you are visiting on the Services, and may set a cookie to enable the feature to function properly or for other purposes. Widgets and social media features are either hosted by a third party or hosted directly on our Services. Your interactions with these features are governed by the privacy policies and practices of the company providing it.

Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights: In exceptional circumstances, we may share information about you with a third party if we believe that sharing is reasonably necessary to (a) disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (b) enforce our agreements, policies and terms of service; (c) protect the security or integrity of our Services; (d) protect Postman, our customers or the public from harm or illegal activities; or (e) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.

Sharing with affiliated companies

Postman companies: We share information we have about you with other Postman corporate affiliates to operate and improve products and services.

Business transfers: We may share or transfer information we collect under this privacy policy in connection with any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. You will be notified via email and/or through a prominent notice on the Services if a transaction takes place, as well as any choices you may have regarding your information.

Workspace content

Access to private workspaces

If your workspace is private, you control the access to your Content. If your workspace content includes personal information or Sensitive Personal Information, that information is accessible to Postman in accordance with this Privacy Policy. Postman personnel do not access private workspace content except for:

  • security purposes
  • to assist the workspace owner with a support matter
  • to maintain the integrity of the Service
  • to comply with our legal obligations
  • if we have reason to believe the contents are in violation of the law, or
  • with your consent.

However, while we do not generally search for content in your workspaces, we may scan our servers and content to detect certain tokens or security signatures, known active malware, known vulnerabilities in dependencies, or other content known to violate the Postman Terms of Service.

Access to public workspaces

If you make your workspace public, anyone may view its contents. If you include personal information, Sensitive Personal Information, or confidential information, such as email addresses or passwords, in your public workspace, that information may be indexed by search engines or used by unknown third parties. You are responsible for complying with any regulatory controls regarding that data.

Other important information

Public information on Postman

Many of Postman's services and features are, or can be made, public. If you choose to make any of your user-generated content public, or post issues, comments, or contributions to other users' public workspaces, third parties may access and use it, including by viewing your workspace and profile, or "forking" your APIs, collections, environments, mocks, monitors, and other linked entities. We do not sell that content; it is yours. However, any content made public will be publicly accessible through the internet and may be crawled and indexed by search engines.

Your personal information associated with content you make public could be accessed by third parties. If you do not want your personal information to be accessed by third parties, please do not make your personal information available publicly and be sure to configure your email address to "private" in your user profile and in your settings.

If you would like to access other users' content that is available in public workspaces on Postman, you must comply with the Terms of Service, including restrictions regarding information usage and privacy, and you may only use any public-facing user personal information you gather for the purpose for which our user authorized it. For example, where a Postman user has made an email address public-facing for the purpose of identification and attribution, do not use that email address for the purposes of sending unsolicited emails to users or selling user personal information, such as to recruiters, headhunters, and job boards, or for commercial advertising. You are responsible for securing any personal information you have access to via public workspaces on Postman, and to respond promptly to complaints, removal requests, and "do not contact" requests from Postman and from Postman users.

Similarly, APIs, collections, environments, mocks, monitors, and other linked entities in public workspaces on Postman may include publicly available user personal information collected as part of the collaborative process. If you have a complaint about any user personal information on Postman, please contact us at help@postman.com.

Teams

You may indicate, through your actions on Postman, that you are willing to share your user personal information. If you collaborate on or become a member of a team, then the team's account owners may be able to see certain of your user personal information. If you accept an invitation to a team with a verified domain, then the owners of that team will be able to see your full email address(es) within that team's verified domain(s).

Your team's account owner(s) can provide you with more information about how they process your team users' personal information and the ways for you to access, update, alter, or delete the user personal information stored in the Account.

Please note, however, that Postman may share your username, usage information, and device information with the owner(s) of your team to help investigate or respond to a security incident or to otherwise protect the interests of the particular team or Postman.

How we store and secure information we collect

Information storage and security

We use industry standard technical and organizational measures to secure the information we store. For more information on where and how we store your information, please see Security at Postman.

Although our security safeguards are designed to protect your information, no security system is impenetrable and, due to the inherent nature of the Internet, we cannot guarantee that data transiting the Internet or stored on our systems is absolutely safe from intruders.

How long we keep information

How long we keep information about you depends on the type of information, as described in further detail below. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will store your information and isolate it from some or all further use until deletion is possible.

Account information: We retain your account information for as long as your account is active and up to 15 days thereafter. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services.

Information you share on the Services: If your account is deleted, some of your information and content may remain on our Services to allow your team members or other users to make full use of the Services.

Managed accounts: If the Services are made available to you through an organization (e.g., your employer), we retain your information as long as required by the administrator of your account. For more information, see "Managed accounts and administrators" above.

Marketing information: If you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time after the date you last expressed interest in our Services, i.e., since you last opened an email from us or used your Postman account. We also retain information derived from cookies and other tracking technologies for a reasonable period of time from the date such information was created.

How to access and control your information

You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.

Your Choices:

Individuals in many locations have a the right to request a copy of their information, to object to our use of their information (including for marketing purposes), to request the deletion, correction, amendment, or restriction of the handling of their information, and in some cases to request their information in a structured, electronic format. Below, we describe the tools and processes for making these requests for certain information. You may contact us as provided in the Contact Us section below to request assistance for this or other information. However, if your request relates to personal information we handle pursuant to a contract with our customer that designates us as the customer's "processor," it is fastest for you to contact the customer with your request if you cannot address it using the self-service options below.

Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we or your administrator are permitted by law or have compelling legitimate interests to keep. Where you have asked us to share data with third parties, for example, by installing third-party apps, you will need to contact those third-party service providers directly to have your information deleted or otherwise restricted. If you have unresolved concerns, please contact us as described at the end of this Privacy Policy. Every individual also has the right to complain to a data protection authority in their country.

Access and update your information: Our Services and related documentation (see learning.postman.com) give you the ability to access and update certain information about you from within the Service. You can update your profile information within your profile settings.

Delete your information: Our Services and related documentation (see learning.postman.com) give you the ability to delete certain information about you from within the Services. For example, you can remove certain profile information within your profile settings. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.

Delete your account: If you no longer wish to use our Services, you may delete your Services account in your account settings. Otherwise, please contact your administrator. You may also contact Postman for guidance at help@postman.com.

Request that we stop using your information: In some cases, you may ask us to stop accessing, storing, using or otherwise processing your information where you believe we don't have the appropriate rights to do so. For example, if you believe a Postman account was created for you without your permission or you are no longer an active user, you can request that we delete your account as provided in this policy. Where you previously gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place. pt-out of our use of certain information for marketing purposes by contacting us, as provided below. When you make such requests, we may need time to investigate and facilitate your request, and you may need to follow certain instructions to confirm or implement your request. If there is delay or dispute as to whether we have the right to continue using your information, we will comply with any applicable legal requirement to restrict any further use of your information until the request is honored or the dispute is resolved, provided your administrator does not object (where applicable). If you object to information about you being shared with a third-party integration, please disable You can also othe integration or contact your administrator to do so.

Opt-out of communications: You may opt out of receiving promotional emails from us by using the unsubscribe link within each email, or by contacting us as provided below to have your contact information removed from our promotional email list or registration database. You can opt out of receiving some notification messages (such as monitoring and comment notifications) via your account settings; for more information about that please visit: https://www.postman.com/settings/me/notifications. Even after you opt out of receiving promotional messages from us, you will continue to receive transactional messages from us regarding our Services.

You may be able to opt out of receiving certain personalized advertisements from other companies who are members of the Network Advertising Initiative or who subscribe to the Digital Advertising Alliance's Self-Regulatory Principles for Online Behavioral Advertising. For more information about this practice and to understand your options, please visit: https://youradchoices.com/, https://optout.networkadvertising.org/ and https://www.youronlinechoices.com/.

Data portability: Data portability is the ability to obtain some of your information in a format you can move from one service provider to another (for instance, when you transfer your mobile phone number to another carrier). Depending on the context, this applies to some, but not all, of your information. For assistance, you may contact Postman support at help@postman.com.

How information is transfered internationally

International transfers of information we collect

We collect information globally and may transfer, process, and store your information outside of your country of residence to countries where we or our third-party service providers (and other recipients mentioned in this Privacy Policy) operate for the purpose of providing you the Services. Postman's primary hosting facilities are in the United States. Whenever we transfer your information, we take steps to protect it.

International transfers within the Postman Companies: To facilitate our global operations, we transfer information globally and allow access to that information from countries in which Postman has operations for the purposes described in this policy. These countries may not have privacy and data protection laws that are equivalent to those in the many of the countries where our customers and users are based.

International transfers to third parties: Some of the third parties described in this privacy policy, which provide services to us under contract, are based in other countries that may not have equivalent privacy and data protection laws to the country in which you reside. When we share information of customers regulated by the data protection laws of the European Economic Area, the UK, or Switzerland, we make use of standard contractual data protection clauses approved by those jurisdictions (Standard Contractual Clauses) or other appropriate legal mechanisms for the transfer.

Please contact us as provided at the end of this Privacy Policy to exercise any right you may have to see the mechanisms used for transfers of your personal data or to make a general privacy-related complaint.

International transfers of information to us

Our customers use various mechanisms for transferring personal information to us, including in some cases the Standard Contractual Clauses.

EU-U.S. Data Privacy Framework (DPF), the UK Extension of the DPF, and the Swiss-U.S. DPF:

Postman, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the DPF (UK DPF Extension), and the Swiss-U.S. Data Privacy Framework (Swiss DPF) as set forth by the U.S. Department of Commerce. Postman, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal information our business customers transfer to Postman, Inc. as "Your Content" (as defined in our Terms of Service) from the European Economic Area and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Postman, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal information our business customers transfer to Postman, Inc. as "Your Content" (as defined in our Terms of Service) from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

As of the date of approval, the following parts of this Privacy Policy are in effect:

  • We comply with the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF Principles (collectively "the Principles") with respect to all such data transferred to us in reliance on our certification under the Principles.
  • We are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with respect to our compliance with the EU-U.S. DPF, UK DPF Extension, and Swiss-U.S. DPF.
  • Covered individuals are able to exercise certain choices under the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF regarding how some of their personal information is used and shared, and may access, correct, or delete certain personal information by following the instructions in the "How to access and control your information" section of this Privacy Policy. For other personal information, please contact the Postman Support Center or the customer who transferred the data to us. Because Postman often acts as its customer's "processor" within the meaning of the EEA, UK, and Swiss laws, we often must refer such requests to our customer to handle, consistent with such law.
  • In the context of an onward transfer of data, Postman is responsible for the processing of personal information it receives under the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF, and subsequently transfers to a third party acting as an agent on its behalf. Postman shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless Postman shows that it is not responsible for the event giving rise to the damage.
  • In compliance with the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF, Postman commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal information transferred to Postman, Inc. as "Your Content" (as defined in our Terms of Service) in reliance on the EU-U.S. DPF and the UK DPF Extension, and the Swiss-U.S. DPF should first direct any questions, concerns or complaints to Postman at help@postman.com. We will attempt to answer your questions and satisfy your concerns in a timely and complete manner.
  • In compliance with the EU-U.S. DPF and the UK Extension, and the Swiss-U.S. DPF, Postman, Inc. commits to refer unresolved complaints concerning our handling of personal information received in reliance on the EU-U.S. DPF, UK DPF Extension, and the Swiss-U.S. DPF EU-U.S. to an independent dispute resolution mechanism operated by JAMS, an alternative dispute resolution provider based in the United States. Please contact Postman first at help@postman.com. If we do not respond to your complaint within 45 days, or if after discussing the matter with Postman, Inc., your issue or complaint is not resolved to your satisfaction, please visit JAMS at https://www.jamsadr.com/file-a-dpf-claim for more information or to file a complaint. The services of JAMS are provided at no cost to you,
  • In certain circumstances, if your complaint has not been resolved after first raising it with Postman, Inc., following the JAMS procedure above, and taking certain other steps, complaints may be resolved through binding arbitration, as described in Annex I of the Data Privacy Framework.

Other important privacy information

Notice to End Users

Some of our Service are intended for use by organizations. Where the Services are made available to you through an organization (e.g., your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to your organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different from this policy.

Administrators can:

  • terminate your access to the Services; and
  • install or uninstall third-party integrations.

If you join a team or contribute to a workspace associated with an organization or team, and you leave that team, that team will still have access to the content you have contributed to the team's workspace. If you would like to request deletion of your contributions or your information from a team workspace of which you were a member, please reach out to the relevant team administrator.

If you are a Postman user who is not a member of a Postman team administered by an organization (e.g., your employer), but you use an email address with a domain associated with an organization (e.g., your employer), the administrator for the organization's team may be able take control of accounts associated with that organization's domain. If an administrator does take control of an account associated with the organization's domain, the account holder associated with such Services will be notified.

Please contact your organization or refer to your administrator's organizational policies for more information, or consider using your personal email address to register for the Services independent of an organization's account.

Disclosures for California Residents

This section applies only to Postman's handling of personal information about California residents under the California Consumer Protection Act ("CCPA"). It does not apply to:

  • personal information that we handle as a "service provider" or "processor" on behalf of our customers;
  • personal information about people who live outside California;
  • "publicly available information" or "deidentified" information (as defined in the CCPA); or
  • other information that is exempt from the CCPA.

That other information may be handled differently.

Collection, Use, and Disclosure of California Personal Information

During the 12 months leading up to the effective date of this Privacy Policy, we have collected all of the types of personal information described in the "What information we collect about you" section of this Privacy Policy. During that period, we made the following disclosures of personal information about Californians:

CATEGORY OF CA PERSONAL INFORMATIONCATEGORIES OF ENTITIES TO WHICH IT WAS DISCLOSED
Identifiers (e.g., name, email address, telephone number, and other contact info)Affiliates, vendors and service providers (for example, payment processors), and governmental entities (as appropriate)
Commercial information (such as personal information in records of transactions with us and communications with us)Affiliates, vendors and service providers (for example, payment processors), and governmental entities (as appropriate)
Audio, electronic, visual or similar information (e.g., recordings of calls, meetings, or events, and voicemail messages)Affiliates and service providers
Internet or other electronic network activity information (e.g., interactions with our emails and digital platforms and third party websites and applications)Affiliates, vendors and service providers (for example, payment processors, providers of advertising services, and operators of certain embedded functionality on our website)

CCPA "Sales" and "Sharing"

The CCPA defines the "sale" of personal information to include selling user data to random third parties for money, like a data broker does—something we have never done. But it also defines "sale" and "sharing" in a broader sense that includes some more common practices. For example, under the CCPA, these terms include the use of certain advertising services, like when we pay an ad tech company to place a cookie on the browser of a visitor to our website so that the user can see an ad for our services on other websites. The ad tech company can see the website visitor's IP address and other browser/device data as part of that process. We've done that over the last year and plan to continue to do so.

CCPA "Sales" and "Sharing" Personal Information of Consumers under the Age of 16 Years

Postman does not “sell” or “share” personal information (as those terms are defined under the CCPA) if we have actual knowledge that the consumer is less than 16 years of age.

Your CCPA Right to Opt Out of "Sale" or "Sharing" of Personal Information

Californians have a right to direct us not to "sell" or "share" certain personal information as those terms are defined in the CCPA. You can also exercise that right by following the steps available through "Your Privacy Choices" form.

Your browser may also offer a way to activate the Global Privacy Control signal (“GPC”). By default, our websites each treat qualifying browsers for which a California user has activated the GPC signal as having opted out of what CCPA calls a "sale" or "sharing" of any California personal information that is collected on that site from that browser using cookies and similar technology. You can override that treatment for a GPC-enabled browser by managing your cookies through the Cookie notice.

You also can contact our support team at help@postman.com to perform the portion of the "sale" or "sharing" opt-out process in which you provide us with contact information.

Opting out of "sales" and "sharing" limits only some types of disclosures of personal information, and there are exceptions to all of the rights described in this section.

Your CCPA Information, Correction & Deletion Rights

The CCPA also allows you to request us to:

  • provide access to and/or a copy of certain personal information we hold about you;
  • correct certain personal information we have about you;
  • delete certain personal information we have about you; and
  • inform you about the categories of personal information we have collected about you in the preceding 12 months; the categories of sources of such information; the business or commercial purpose for collecting or selling your personal information; and the categories of third parties with whom we have disclosed certain personal information, and more specific detail about what categories of information were "sold," "shared" or disclosed to particular categories of third parties, similar to the detail above this section of the Privacy Policy.

If you would like to exercise any of these rights, you may use the options described in the "How to access and control your information" section of this Privacy Policy (if applicable to your information and your request) or submit your request at help@postman.com.

Please note that certain information may be exempt from such requests under California law. For example, we need certain information to provide our services to you, so we may reject a deletion request for that information while providing services to you.

We do not use or disclose "sensitive personal information" as defined in the CCPA in a manner that requires us to offer a special right to limit our use of this data under the CCPA due to its sensitive nature.

Verification of Requests to Exercise CCPA Rights

We may take reasonable steps to verify your identity before responding to your request, which may include, depending on the sensitivity of the information involved, the nature of our relationship with you, and the type of request you are making, verifying your name, email address, and other information regarding your use of our services.

Requests Made by Agents

You can designate an authorized agent to make a CCPA request on your behalf. To do so, we must receive a legally sufficient power of attorney signed by you pursuant to California Probate Code sections 4121 to 4130, or other written authorization acceptable to us, for the agent to act on your behalf. You may still need to verify your identity and confirm the agent's authority directly with us if we are not convinced of the validity of the agent's request. For security and legal reasons, we reserve the right to reject requests that require us to visit an agent's website. Because opt-out requests for sales and sharing made through cookies and related technology must be performed from each browser that is used to access our services, it is easiest for the consumer to perform such opt-outs themselves. However, if you wish for an agent to perform browser-based requests on your behalf, you may arrange for the agent to have access to your browser to make such requests, but you may not share your login credentials or logged-in access to our websites with an agent or any other third party. We are not responsible for the security risks of giving an agent browser access or any other arrangements that you may have with an agent.

Nondiscrimination

You also have a right not to receive "discriminatory treatment" (within the meaning of the CCPA) for the exercise of the privacy rights conferred by the CCPA.

Our policy towards children

Our Services are not directed to individuals under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact help@postman.com.

Changes to our Privacy Policy

We may change this privacy policy from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice through the Services homepages or login screens, or by sending you an email notification. We will also keep prior versions of this privacy policy in an archive for your review upon request. We encourage you to review our privacy policy whenever you use the Services to stay informed about our information practices and the ways you can help protect your privacy.

If you disagree with any changes to this privacy policy, you will need to stop using the Services and delete your account(s), as outlined above.

Contacting Us

If there are any questions or complaints regarding this privacy policy or our handling of personal information, you may contact us using the information below.

privacy@postman.com

Postman, Inc. or Postdot Technologies UK Ltd.
ATTN: Legal
201 Mission Street, Suite 2375
San Francisco, CA 94105

Key Changes

September 2023

  1. Updates for the EU-U.S. Data Privacy Framework and UK and Swiss equivalents, clarification of rights and data practices, and more detail regarding our handling of "personal information" in our capacity as "processor" to our customers within the meaning of the GDPR.
  2. Updates to "Disclosures for California Residents" (i.e., CCPA).

2024 State of the API report is here!

Discover key API trends from 5,600+ devs and API professionals in Postman's annual report.