UserTesting, Inc. provides access to platform (“Platform”) and related services (“Services”) that allows UserTesting Customers (“Customers”) to conduct usability tests (“User Tests”) and individuals taking part in such User Tests (“Testers”) to perform and record tests. In it’s provision of the Services, UserTesting may collect, record and analyze information about Customers and Testers which may include individually identifiable information that would allow UserTesting to determine the actual identity of, and contact, a specific living person), billing information, account settings and other data (“Personal Data”).
Any information stored on UserTesting’s platform is treated as confidential. All information is stored securely and is accessed by authorized personnel only. UserTesting implements and maintains appropriate technical, security and organizational measures to protect Personal Data against unauthorized or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure.
2. COLLECTION AND USE
The following sections describe the specifics of both types of groups from which data is collected: Customers and Testers.
Testers should be aware that in taking part in User Tests, they may be disclosing information that could make them personally identifiable to UserTesting Customers. Testers should be aware that they are responsible for the content provided during their User Tests. UserTesting will not process Personal Data for purposes or by other means than as instructed by Customers or as otherwise necessary to provide the Services.
In order to provide the Services to Customers, UserTesting collects certain types of data from its Customers. Further, Customers may collect or request information from Testers when utilizing the Services, subject to the terms of service entered into between UserTesting and all Customers.
2.3.1 Collection of Customer Data
During a Customer’s utilization of the Platform and Services, Customers may be requested to provide information such as name, company name, email address, address, telephone or other relevant Personal Data (collectively “Customer Data”). This Personal Data is used by UserTesting to identify each Customer and provide them with Services, support, billing and to meet other contractual obligations. UserTesting will delete Customer’s Personal Data upon request from such Customer, unless complying with such request would violate an applicable law, statute or other contractual obligation.
2.3.2 Collection of Tester Data By Customers
User Tests are created by Customers. As such, it is the Customer’s responsibility to ensure that collection and processing of information provided by Testers during User Tests (“Tester Data”) is done in accordance with applicable law. UserTesting will not process Tester Data for other purposes or by other means than as instructed by Customers or as necessary to provide the Services.
Tester Data includes data from all Testers uploaded, transferred or manually entered during a User Test. Tester Data may include Personal Data, including personal contact information such as name, address, telephone number, email address or other personal demographic information. For Customers in the EEA (defined below), or for Customers engaging Testers in the EEA, the Customer will be the “controller” as defined by the European Union’s General Data Protection Regulation (“GDPR”) as further explained below.
2.4 Geographical Location
For UserTesting Customers and Testers, all Personal Data shall be processed in data storage centers located in the United States.
2.4.1 Processing in the EEA
For Customers with accounts located in the EEA, all processing of Personal Data is performed in accordance with privacy rights and regulations following the EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Directive), and the implementations of the Directive in local legislation. From May 25th, 2018, the Directive and local legislation based on the Directive will be replaced by the Regulations (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the General Data Protection Regulation (GDPR), and UserTesting’s processing will take place in accordance with the GDPR.
188.8.131.52 Controller and Processor (GDPR)
UserTesting processes Personal Data both as a Processor and as a Controller, as defined in the Directive and the GDPR:
UserTesting will be the Controller for User data, as outlined above in “Collection of Customer Data” section.
For Tester data collected during Customer’s utilization of the Platform and Services, as outlined in the “Collection of Tester Data” section, the Customer will be the Controller in accordance with Directive and GDPR, and UserTesting will be the Processor.
All data collected by UserTesting will be stored in secure hosting facilities provided by Amazon Web Services. UserTesting maintains a data processing agreement in place with its provider, ensuring compliance with the Directive and GDPR. All hosting is performed in accordance with the highest security regulations. All transfers of data internally in the EEA is done in accordance with this data processing agreement.
2.4.2 Processing Outside of the EEU
For Customers with accounts not located in the EEU, UserTesting processes data solely in data centers located in the United States of America. UserTesting has adopted reasonable physical, technical and organizational safeguards which substantially mirror the EU safeguards against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, access, use or processing of the Customer’s data in UserTesting’s possession. UserTesting will promptly notify the Customer in the event of any known unauthorized access to, or use of, the Customer’s data.
All data collected by UserTesting Customer’s through their use of the Platform and Services will be stored exclusively in secure hosting facilities provided by Amazon Web Services. UserTesting’s contract with its hosting provider ensures that all hosting is performed in accordance with the highest security regulations. UserTesting’s policy is to protect and safeguard any personal information obtained by UserTesting in accordance with United States state or federal laws governing the protection of personal information and data. Accordingly, UserTesting adheres to practices and policies that aim to safeguard all such data.
3. RETENTION AND DELETION
UserTesting will keep information needed to provide the Services to Customers as long as there exists a valid business purpose, in accordance with applicable law and our Service and/or Tester Agreements, and will delete such data upon written request from a Customer or Tester, provided such deletion complies with all applicable laws or regulations. For Tester Data, Customers have control of the purpose for collecting data. Customers with an active UserTesting account will therefore have the responsibility to delete data if required. When a Customer’s account is terminated or expired, all Personal Data collected through the platform will be deleted upon written request from Customer as required by applicable law.
4. ADDITIONAL CONSIDERATIONS
4.1 Usage and Device Data
UserTesting collects usage data about Visitors to our website, including pageviews, clicks, and log files containing originating IP addresses. In addition, UserTesting collects data from the device and applications used to access our Services including IP address and browser type.
4.2 Referral Data
UserTesting records if a Visitor arrives at UserTesting website from an external source (such as a link on another website or in an email).
4.3 Information from Third Parties
UserTesting collects Personal Data or other data from third parties, if Customers give permission to those third parties to share your information with us.
Visitors have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but individuals can usually modify browser settings to decline cookies. More information about disabling cookies is available at www.allaboutcookies.org. Choosing to decline cookies may result in decreased function on UserTesting websites.
Individuals who do not consent to the collection, use, or disclosure of their Personal Data as outlined in this policy should not provide any Personal Data to UserTesting. If an individual has provided Personal Data to UserTesting and no longer consents to its use or disclosure as outlined here, then the individual should contact UserTesting at firstname.lastname@example.org.
4.5 Data Integrity
UserTesting will use Personal Data only in ways compatible with the purposes for which it was collected or authorized by our Customers, or as requested in connection with Tester requests.
In most cases, our collection of Personal Data is related to our Customers and Testers and collected under the terms of our Service Agreement and Tester Agreement, respectively. Individuals that wish to request access to, correction, or deletion of Personal Data they submitted to the UserTesting corporate website should contact UserTesting at email@example.com.
No data transmissions over the Internet can be guaranteed to be 100% secure. UserTesting cannot ensure or warrant the security of any information transmitted to UserTesting. All transmissions of information are done at the senders own risk. Once UserTesting is in possession of any information, UserTesting will make reasonable efforts to ensure the security of its systems.
UserTesting has adopted physical, technological, and administrative procedures to safeguard and secure the information we process. By using this website or providing Personal Data to us, you agree that we can communicate with you electronically regarding security, privacy, and administrative issues relating to your use of this website.
7. PRIVACY SHIELD
The Privacy Shield program applies to the processing of Personal Data in regards to the collection, use and retention of Personal Data from Testers located in Switzerland and the European Union and European Economic Area, as set out by the U.S. Department of Commerce. UserTesting has certified that it adheres to the Privacy Shield Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse/enforcement/liability. UserTesting is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
All employees of UserTesting who handle Personal Data from Switzerland and the European Union are required to comply with the Privacy Shield Principles.
As part of our participation in the Privacy Shield program, we will resolve disputes you have with us in connection with our policies and practices through JAMS ADR. For more information and to contact JAMS ADR directly, visit www.jamsadr.com. As a last resort and in limited situations, Swiss and EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
UserTesting’s accountability for Personal Data that it receives under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, UserTesting remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the Personal Data on its behalf do so in a manner inconsistent with the Principles, unless UserTesting proves that it is not responsible for the event giving rise to the damage.
UserTesting encourages you to contact our Head of Privacy and Security at firstname.lastname@example.org should have any Privacy Shield-related (or general privacy-related) complaint. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. UserTesting is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
9. ADDITIONAL RESOURCES
For additional information on UserTesting’s GDPR compliance, please visit our GDPR page.
Last updated: May 22, 2018