Elastic Product Privacy Statement

Effective Date: September 16, 2025

This Product Privacy Statement (the "Product Privacy Statement" or "Statement") explains how Elastic N.V. and its subsidiaries ("Elastic," "we", "us" and "our") collect, use and share information, including information relating to an identified or identifiable natural person ("personal data" or "personal information") from our customers or users ("you" and "your") when you use, or demo, Elastic's products such as Elastic Self-Managed Software, Elastic Cloud Services, or any other services maintained by Elastic for use by our customers or users, such as Support Services (together the "Products").

Scope & Responsibilities
Information Collected from the Products
How We Use Product Usage Data
How We Share Product Usage Data
How We Use Cookies and Data Collection Tools
User Privacy Rights and Choices
Security
International Data Transfers
Data Privacy Framework
California Privacy Rights
Other Information
How to Contact Us


Scope & Responsibilities

This Statement applies to the information we collect in connection with your use of the Products and for which we determine the means and purposes of processing (i.e., as a "data controller").

This Product Privacy Statement does not cover:

  • Personal data processed by Elastic according to our General Privacy Statement, such as personal data collected when you visit, interact with or use any of our websites, social media pages, marketing or sales communications, or register for our products and services and you visit, interact with or use any of our offices, events, sales, marketing and other offline activities. Please see our General Privacy Statement for details on how this information is processed.
  • Personal data processed by Elastic according to our Candidate Privacy Statement when an individual applies or is referred for a role with Elastic through our Site or otherwise.
  • Personal data processed by Elastic as a Processor. This Product Privacy Statement does not apply to personal data processed by Elastic in the role of a Processor or Service Provider (as applicable), which is subject to the terms of the applicable customer agreement.
  • Organizational Users. When you use the Products on behalf of an organization (e.g., your employer), your use is administered and provisioned by your organization per its own policies regarding the use and protection of personal data. If you have questions about how your data is being used by your organization, please refer to your organization's privacy policy and direct your inquiries to your organization's system administrator.


Information Collected from the Products

When you use our Products, Elastic may collect information about how you are using the Products ("Product Usage Data"). While the purpose of collecting Product Usage Data is not to identify individuals or otherwise to gather personal data, in accordance with the terms of the applicable agreement and subject to your deployment model and configuration settings:

Product Usage Data may include:

  • Account Data: information collected when you create an account with us, such as the name, email address, username, company name, and company ID associated with your account.
  • Cluster Data: information about your Elasticsearch Cluster. This may include statistics related to uptime, node count, node types, indexes, shards, and segments.
  • Product Performance Data: information about the performance of the Products. This may include metrics on the performance and scale of the Products and response times.
  • Products and System Data: information about the Products you are using and about the systems and related environment from which you access the Products. This may include Product type and version, deployment ID, license information, installed plug-ins, UUID, operating system, hardware version, MAC address, IP address, network connection type, browser type, device type, and third-party systems used in connection with the Products, which includes technical details such as software identifiers, attributes and descriptors.
  • Feature Usage Data: information about how you are using the Products. This may include details about which features are used and user interface metrics, clickstream data, search queries entered, functions and commands executed, AI inputs and outputs, number of searches, and types of searches.
  • Security Data: information that is essential for the security components of Elastic Products to deliver their full functionality. This may include information on the networks and network identifiers associated with the sources and destinations of detected or suspected threats (which may include IP addresses, URLs, and DNS queries), security sensor performance metrics, user, device and object identifiers, security configurations and detections, metadata, hashes and contents of potentially malicious executable binaries, other file hashes, samples and metadata, or code that might interfere with, disable, misuse or threaten Elastic Products, our customers, or the secure use of our Products.
  • Product Enablement Data: technical and operational information that is essential for the operation of certain Elastic features, which will be transmitted to Elastic unless the customer opts to run the Products in an air-gapped environment (please see our Product Documentation for more details on air-gapped environments). This may include, for example, security event data, activity logs, traces, and other event metrics for the operation of Elastic security and observability features.
  • Support Related Data: may include information collected about how you use Support Services. This may include data that pertains to your interactions with the support interface and process, including inputs to and outputs from Elastic's human and AI support agents, generalized, non-identifiable insights generated from the analysis of such data as performed within the scope of the service engagement, as well as sanitized or aggregated derivatives from artifacts submitted by customers to our Support Services, such as log files, diagnostic bundles, heap dumps, and code samples.


How We Use Product Usage Data

We use Product Usage Data to fulfill our contractual obligations and to enforce our rights in providing the Products to you, to comply with our legal obligations, as well as to pursue our legitimate interest in maintaining and enhancing our Products, and conducting our business operations. In particular, we may use Product Usage Data for the following purposes:

Delivering our Products:

  • Supporting our customers and users: Elastic may use Product Usage Data to provide proactive or reactive support to our customers and users (such as guidance to help optimize usage), and to identify product and service capability and performance improvement opportunities.
  • Conducting account administration: Elastic may use Product Usage Data to provide the Products and for account management, such as managing product downloads, updates, and fixes, and sending other administrative or account-related communications, including release notes and billing information.
  • Conducting Research for Product development and improvement: Elastic may use Product Usage Data to analyze the use of the Products, to prioritize the development and testing of new features and functionality, to develop, test, and improve diagnostic, optimization, and support tools (including with the use of automation, machine learning and artificial intelligence), to improve our support responses, as well as to identify, understand, and anticipate performance issues and the factors that affect them.
  • Maintaining the security of our Products: Elastic may use Product Usage Data to maintain the security and operational integrity of the Elastic IT infrastructure and of our Products; to monitor for, prevent and detect fraud; to enhance product and service security; to verify identity and to control and monitor access; to combat spam, as well as to defend against malware and other cyber threats; to detect security events and to respond to incidents; to manage the performance and stability of the Products, addressing technical issues, and operating our back-up, business continuity and disaster recovery plans and policies.
  • Confirming your compliance with contractual obligations: Elastic may use Product Usage Data to confirm your compliance with contractual and other obligations in connection with the relevant Product.
  • Conducting business-to-business marketing and sales: Only where and to the extent permitted by law, Elastic may use Product Usage Data to personalize your experience and to suggest other Elastic Products to you, to solicit your feedback, to increase engagement and adoption of our features (e.g., by providing in-Product suggestions), to market additional Products to our customers and users, to improve financial forecasting, to inform pricing and packaging decisions, and to guide sales and marketing strategies.
  • Complying with legal requirements: Elastic may use Product Usage Data to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, auditing, archiving and insurance purposes, legal and business consulting, and dispute resolution. Elastic may be legally required to access personal data contained in Product Usage Data, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect or defend our rights or property of Elastic or users of the Products, protect the safety of others, to investigate fraud, or respond to government requests, including in response to lawful requests by public and government authorities outside a user's country of residence, including to meet national security or law enforcement requirements.


How We Share Product Usage Data

We take care to ensure that the Product Usage Data is accessed internally only by individuals that require access to perform their tasks and duties, and externally only by authorized service providers with a legitimate purpose for accessing it. We contractually require such service providers to safeguard any confidential data they may receive from us. We will not sell your personal data or allow a third party to use your personal data for its own commercial purpose.

With Elastic Companies

We may transfer Product Usage Data to other Elastic entities in the US and worldwide for the purposes outlined in this Privacy Statement. We protect Product Usage Data per this Statement wherever it is processed and take appropriate contractual or other steps to protect it under applicable laws. To the extent the Product Usage Data includes personal data, these steps include participating in the U.S. Department of Commerce's Data Privacy Framework (“DPF”), implementing the European Commission's standard contractual clauses along with supplementary measures, implementing the Information Commissioner's Office international data transfer addendum to the European Commission's standard contractual clauses, and relying on the European Commission's and the Information Commissioner's Office's adequacy decisions about certain countries, as applicable, for data transfers from the EEA, UK, and Switzerland to the United States and other countries. We have implemented similar appropriate safeguards with our service providers, partners, and affiliates. Furthermore, our privacy guidelines are communicated to our employees on an annual basis as part of our mandatory training.

With Service Providers

We may share Product Usage Data with third parties, such as vendors, consultants, agents and other service providers who provide services such as IT system administration and hosting, research and analytics, marketing, customer support, and data enrichment for the purposes and according to the legal bases described below. Our service providers are required by contract to safeguard any personal data they receive from us and are prohibited from using personal data for any purpose other than to perform the services as instructed by Elastic.

With Business Partners

We may share Product Usage Data with our partners, such as distributors and resellers, and to other business partners, to fulfill product and information requests, to effectively deliver unified support, to provide customers and prospective customers with information about Elastic.

With Competent Authorities

We may share your Product Usage Data when we believe, in good faith, that we must: (i) respond to duly authorized information requests of law enforcement agencies, regulators, courts, and other public authorities, including to meet national security or other law enforcement requirements; (ii) comply with any law, regulation, subpoena, or court order; (iii) investigate and help prevent security threats, fraud or other criminal or malicious activity; (iv) enforce/protect the rights and properties of Elastic or our affiliates; or (v) protect the rights or personal safety of Elastic's and our affiliates' employees, and third parties on or using Elastic property when allowed and in line with the requirements of applicable law.

Elastic may be required to disclose Product Usage Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. When doing so, we abide by principles analogous to the principles that govern our handling of requests relating to Customer Information.

For Corporate Transactions

We may share Product Usage Data where, whether for strategic or other business reasons, Elastic decides to sell, buy, merge, or otherwise reorganize its businesses. In such transactions, we may disclose or transfer Product Usage Data to prospective or actual purchasers.


How We Use Cookies and Data Collection Tools

Depending on the Product you use, we may use cookies or other technologies in furtherance of the purposes described in this Statement. The types of technology we use may change over time. Some of these technologies are essential for the provision of the Products, such as account access and authentication; others assist with the performance and functionality of the Products, such as recognizing returning users or remembering preferences; and others enable us to analyze and customize the Products and help us develop automated diagnostic and proactive features.


User Privacy Rights and Choices

We only collect a limited amount of personal data to fulfill the purposes outlined in this Statement. Depending on where you live, you may have certain rights with respect to your personal data such as:

  • Access: To request and obtain a copy of your personal data that is held by Elastic;
  • Rectification: To request the correction of your personal data held by Elastic in order to update any incomplete or inaccurate information;
  • Deletion: To request to have your personal data held by Elastic deleted;
  • Restrict Processing: To request that we restrict the processing of your personal data where:
    • You dispute the accuracy of the data;
    • The processing is unlawful, but you do not wish to have it delete; or
    • Elastic no longer needs the data, but you need it to assert, exercise, or defend legal claims;
  • Objection: To object to the further processing of your personal data at any time;
  • Portability: To request to receive the personal data you have provided to Elastic in a structured, commonly used, machine-readable format; and
  • Withdrawal of consent: To request to withdraw consent at any time, where previously given.

If your personal data is to be used for a new purpose that is materially different from that for which it was originally collected or subsequently authorized, or is disclosed to a non-agent third party in a manner that is not specified in this Statement, we will provide you with an opportunity to choose whether to have your personal data used or disclosed in such a manner. Requests opt-out of such uses or disclosures should be sent to us as specified in the "How to Contact Us" section of this Statement below.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Elastic also commits to resolve DPF Principles-related complaints about our collection and use of your personal data. Individuals located in the EU, UK, or Switzerland with inquiries or complaints regarding our handling of their personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Elastic by submitting this form. Please identify yourself and specify your request. We use commercially reasonable efforts to delete your personal data as required, but retain records necessary to comply with a governmental authority or applicable federal, state, or local law. Where legally permitted, we may decline to process requests that are unreasonably repetitive or systematic, require disproportionate technical effort, or jeopardize the privacy of others.

You may also have the right to complain to a data protection authority about our collection and use of your personal data. In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Elastic commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner's Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. If Elastic itself, or through cooperation with the relevant authority, does not resolve your complaint, you may have the possibility to engage in binding arbitration through the Data Privacy Framework Panel. For more information on this option, please see Annex I of the Data Privacy Framework Principles.


Security

Elastic is committed to protecting the security of your personal data. We use appropriate technical and organizational measures to protect your personal data from loss, misuse, and unauthorized access, alteration, or disclosure. Despite these measures, Elastic cannot eliminate every potential security risk associated with personal data and mistakes, and security breaches may happen.


International Data Transfers

Elastic operates globally, which means personal data may be transferred to countries other than the country in which the individual resides. These countries may have data protection laws that are different from the laws of the individual's country of residence.

Specifically, if you reside in the EEA, the UK, or Switzerland your personal data may be processed outside those places, in countries, including the US, which have different data protection laws.

We take steps to carry out these transfers in compliance with applicable laws. These steps include putting appropriate data transfer agreements in place to help protect your personal data, participating in the U.S. Department of Commerce's Data Privacy Framework, implementing the European Commission's standard contractual clauses along with supplementary measures, implementing the Information Commissioner's Office international data transfer addendum to the European Commission's standard contractual clauses, and relying on the European Commission's and the Information Commissioner's Office's adequacy decisions about certain countries, as applicable, for data transfers from the EEA, UK, or Switzerland to the United States and other countries. We implement similar appropriate safeguards with our third-party service providers and affiliates. Furthermore, our privacy guidelines are communicated to our employees on an annual basis as part of our mandatory training. We have taken appropriate safeguards to ensure that any personal data collected and transferred under this Product Privacy Statement will remain protected.


Data Privacy Framework

Elastic complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Elastic has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Elastic has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. Elastic's commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data Privacy Framework website.

As set out above, Elastic uses a limited number of third-party service providers to assist us in providing our Products to our users and customers, and in otherwise conducting our business. These third parties may access, process, or store personal data in the course of providing their services. Elastic maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Data Privacy Framework obligations, including the onward transfer provisions, and Elastic remains liable if they fail to meet those obligations and Elastic is responsible for the event giving rise to the damage.


California Privacy Rights

See our California Privacy Rights Statement for information about California Privacy Rights, and other required disclosures, if any.


Other Information

Data Retention. We retain information collected in connection with the Products for so long as necessary to fulfill the purposes outlined in this Statement, or where we have an ongoing legitimate business need to do so (for example, to provide a user with a service that was requested or to comply with applicable legal, tax or accounting requirements).

Changes to this Product Privacy Statement. This Product Privacy Statement is subject to occasional revision. If we make any substantial changes in the way we use personal data, we will take appropriate measures to inform our customers, consistent with the significance of the changes we make. We will provide notice of any material Product Privacy Statement changes if and where required by applicable data protection laws.

The date of the most recent update to this Product Privacy Statement can be found by checking the "effective" date displayed at the top of this Product Privacy Statement.


How to Contact Us

If you have any questions or concerns regarding this Statement, you may fill out this form or write us by postal mail at:

Elastic N.V.
Attn: Privacy Team
Keizersgracht 281
1016 ED Amsterdam
The Netherlands

Data Protection Officer. Elastic has appointed Data Protection Officers for data subjects in those jurisdictions that require one. You can contact our Data Protection Officers here.

If we are unable to resolve your concerns, you have the right to contact your local data privacy supervisory authority or seek a remedy through the courts if you believe your requests to exercise your rights have not been honored.