As the global “work from anywhere” company, GoTo provides products that simplify how people connect with each other and the world around them. With users in nearly every country around the world, we maintain a global data privacy program designed to secure and protect the data entrusted to us by our customers, users, and end-users.

Quick Reference Guide

Data Processing Addendum | Sub-Processor Disclosures | Government Request Policy | International Transfer FAQ | Technical and Organizational Measures | Privacy Policy | Individual Rights Management Portal

Program Overview

Global Data Privacy Program

GoTo’s data privacy program is designed to respond to today’s applicable privacy rules and regulations and takes into account many of the world’s major data protection regimes, including, but not limited to:

  • Australia’s Privacy Act (1988)
  • Brazil’s General Data Protection Law (LGPD)
  • California Consumer Privacy Act (CCPA)
  • General Data Protection Regulation (GDPR)
  • United Kingdom’s Data Protection Act (2018)

TRUSTe Enterprise Privacy & Data Governance Practices Certification

GoTo has obtained the TRUSTe Enterprise Privacy & Data Governance Practices Certification to further demonstrate our ongoing commitment to data protection. To view our certification status please click here. To learn more, please visit our blog post.

Data Transfers

APEC CBPR and PRP Certifications

GoTo has obtained Asia-Pacific Economic Cooperation ("APEC") Cross-Border Privacy Rules ("CBPR") and Privacy Recognition for Processors ("PRP") certifications. The APEC CBPR and PRP frameworks are the first data regulation frameworks approved for the transfer of personal data between APEC-member countries, and were obtained and independently validated through TrustArc, an APEC-approved third-party leader in data protection compliance. To learn more about our APEC certifications, please click here. To review our APEC commitments, please consult our Privacy Policy.

Data Processing Addendum

In addition to maintaining Terms of Service and Privacy Policies designed to support and adapt to changing regulatory requirements and industry standard practices, GoTo is pleased to offer a comprehensive global Data Processing Addendum (“DPA”), available here (in multiple languages), which is designed to meet the requirements of applicable data privacy laws and regulations, including the CCPA, GDPR, and LGPD. Key features of our DPA include:

  1. CCPA

    We are dedicated to ensuring that our services continue to comply with the applicable provisions of the CCPA (and the CPRA, once in effect), and that our privacy and security measures are meeting or exceeding industry standard practices. To account for CCPA, our global DPA includes: (a) definitions which are mapped to CCPA; (b) applicable access and deletion rights; and (c) warranties that GoTo will not sell our users’ ‘personal information.’

  2. GDPR

    Our DPA incorporates several GDPR-focused data privacy protections, including: (a) data processing details, sub-processor disclosures, etc. as required under Article 28; (b) the revised 2021 Standard Contractual Clauses (the “SCCs”) to permit lawful transfer of ‘personal data’ under Chapter 5; and (c) the incorporation by reference of GoTo's technical and organizational measures documentation.

  3. LGPD

    GoTo has taken steps designed to ensure that our Brazilian customers can benefit and use our products in compliance with the LGPD. These steps include provisions in our DPA that: (a) address GoTo’s compliance with LGPD; (b) support lawful transfers of personal data to/from Brazil; and (c) ensure that our users enjoy the same privacy benefits as our other global users.

  4. Standard Contractual Clauses

    The SCCs are standardized contractual terms, recognized and adopted by the European Commission, drafted to help ensure that any personal data leaving the EEA will be transferred in compliance with EU data-protection law. GoTo’s DPA offers customers the latest SCCs, issued by the European Commission on June 4, 2021, that make specific guarantees around transfers of personal data for in-scope GoTo services as can be found here. Execution of the SCCs helps ensure that GoTo customers can freely move data from the EEA to the rest of the world.

International Data Transfers and Supplemental Measures

GoTo has designed its privacy and security programs to ensure an appropriate level of data protection and has outlined the supplemental measures and safeguards for transfers of personal data outside of the European Union, European Economic Area, and the United Kingdom in this FAQ document (also available in German).

Privacy Controls, Procedures, and Disclosures

Processing Locations

To help ensure sufficient service availability, uptime, and redundancy to provide our global user base with the best possible experience, GoTo uses a combination of geographically distributed physical co-location facilities and cloud hosting providers that perform replication in near-real-time.

Each product makes use of different infrastructures. Therefore, product-specific data centers are identified in the applicable Sub-processor Disclosure located in the Product Resources section of our Trust and Privacy Center at

Data Retention, Deletion, Export, and Access Controls

GoTo's product offerings feature comprehensive technical privacy controls and capabilities which include data retention, deletion, export (into a machine-readable format), and access functionality. Please consult the product-specific technical and organizational measures as found in the Technical and Organizational Measures "TOMs" documentation available in the Trust and Privacy Center for more details. For best results, please filter by service or suite at the top of the Product Resources page.

Technical and Organizational Measures

GoTo’s technical and organizational security measures are designed to prevent the unauthorized access to personal data, and to ensure the ongoing confidentiality, integrity and availability of GoTo’s products and services. Detailed information regarding GoTo’s encryption capabilities and other security measures can be found in the Trust & Privacy Center’s Product Resources page. For best results, please filter by service or suite at the top of the Product Resources page.

Sub-processor Disclosures

GoTo engages with first and third-party sub-processors to provide and operate our services. Please consult the Trust & Privacy Center’s Product Resources page to review service or suite-specific hosting and processing locations, including applicable affiliate and third-party sub-processor disclosures. For best results, please filter by service or suite at the top of the Product Resources page.

Government Requests

GoTo maintains a comprehensive Government Request Policy and will only provide customer information if a government request is supported by applicable law. While detailed information about how GoTo handles government requests may be found in the policy linked above, it is GoTo’s position that absent a valid warrant, subpoena, court order, or equivalent legal process, GoTo will not disclose customer information. In addition, GoTo may seek to narrow requests that we believe are overly broad in scope, request additional context if the nature of the investigation is unclear, or push back on the request for other reasons.

Individual Rights Management Portal

The Individual Rights Management Portal is your destination for managing GoTo-related data subject requests and finding answers to common privacy and security questions. Use the portal to submit a data subject access request, review the locations, types, and purposes of data processing, exercise certain other data protection rights, and learn about GoTo’s privacy and security practices.