Privacy Statement

Updated December 21, 2017

This privacy statement explains how Qualtrics handles personal data collected during the normal course of business (sales, marketing, and support), as well as how data are processed in its products and services. Qualtrics complies with the EU-U.S. Privacy Shield framework and the Swiss Privacy Shield framework, and retains the American Arbitration Association/International Centre for Dispute Resolution.

1. Qualtrics products

Qualtrics creates the most advanced online survey software for corporations, research companies, and universities. The software is provided in an Application Service Provider (ASP) model, accessed using a modern browser via the Internet. All of Qualtrics products are self-service, whereby the end-users are solely responsible for what data to collect and from whom. Survey respondents may use mobile devices to complete a survey.

All customer data collected using the software are stored in a single secure data center; data do not “float” around in the cloud.

Surveys may be distributed in numerous ways: via email, a web link, or off-line mobile app. Surveys may require a password or other authentication by the respondent.

2. Data collected during normal business transactions (unrelated to the software)

For the www.qualtrics.com site: Qualtrics collects and analyzes aggregate information of visitors, including the domain name, visited surveys, referring URLs, and other publicly available information. We use this information to help improve our website and services, and to customize the content of our pages for each individual customer. Cookies may be used to customize content delivered to website visitors.

Qualtrics does not sell or make available specific information about our customers or their clients except as requested by a valid court order or otherwise required by law. We maintain a database of user information which is used only for internal purposes such as technical support, marketing-related activities, and to notify customers of changes or enhancements to the services. Qualtrics uses secure services for online credit card payment transactions, and does not record or store credit card information on its site or servers.

3. Data collected by customers

For this section, customers are end-users with valid Qualtrics accounts. Customers own and control all information input into the Qualtrics software or generated on behalf of customers in connection with the Services (“Data”). Depending on how the Customer chooses to use the software, Data may include personal information. Customers manage all Data, as well as the users who create, manage, distribute, or report the Data.

Qualtrics treats all Data as highly confidential and does not classify or represent the Data because only the Customer itself knows what data it’s collecting. In other words, Qualtrics provides the services, and Customers use the services as they wish. All Data are safeguarded using industry best security practices that prevent unlawful disclosure.

Qualtrics is presently undergoing certification under the FedRAMP program, the “gold standard” of security compliance. FedRAMP has over 900 controls based on the highly-regarded NIST 800-53, and requires constant monitoring and periodic independent assessments. More information is found at https://www.fedramp.gov

Qualtrics will process Data for the purpose of providing the software and services to customers. Qualtrics may also anonymize and/or aggregate the Data and use such anonymized and/or aggregated data for its business purposes, including but not limited to deriving statistical, usage data, and other data related to the functionality of the software and the services, improving the software and the services, developing and making available other products and services, and sharing such data with affiliates and business partners, and may combine or incorporate it with or into other data and information available, derived or obtained from other licensees, users, and/or any other sources. Customers must ensure that they follow applicable laws when distributing surveys. This includes following applicable law when collecting personal and health information, preventing unsolicited emails from being sent, and deleting personal information when no longer required.

Qualtrics will never transfer Data to a third-party without the written permission of the customer. In other words, there is no onward transfer.

Qualtrics employees do not actively view Data. Any access to Customer accounts requires consent by the end-user, and any exposure to personal information is incidental to providing the services. Customers have the ability to disable Qualtrics support from accessing their accounts. But by doing so, it may hinder timely responses and the quality of support.

4. Complaints and inquiries

Qualtrics is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and individuals have a right to contact the FTC regarding services provided by Qualtrics.

If you are an EU or Swiss citizen, and have questions about your personal information that may have been collected in a Qualtrics survey, please contact the entity that created or sent you the survey. Qualtrics is not responsible for any Data collected and only processes Data as controlled by the customer. If the survey creator is unresponsive with your inquiry, please contact Qualtrics Support.

General inquiries regarding this policy, or any complaints regarding surveys that are unresolved by the survey creator, may be sent to Qualtrics Support by visiting https://www.qualtrics.com/support/ and clicking on “Contact Us” or by calling the number listed on the main www.qualtrics.com web site. There is no charge for this inquiry.

Qualtrics has a team of legal and technical staff to maintain compliance with this policy. For legal inquiries, please contact: notice@qualtrics.com

Independent Recourse Mechanism: Any disputes are handled by the International Centre for Dispute Resolution (details below). Inquiries are free of charge.

5. Information related to Privacy Shield

For details about the Privacy Shield program: https://www.privacyshield.gov/

Qualtrics complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. Qualtrics has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

The key goals of Privacy Shield are to inform individuals, both EU and Swiss individuals, about:

  • the right of individuals to access their personal data
  • the choices and means your organization offers individuals for limiting the use and disclosure of their personal data
  • the requirement for your organization to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements

Qualtrics’ Privacy Shield self-certification does not cover human resources data.

In compliance with the Privacy Shield Principles, Qualtrics commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Qualtrics at: notice@qualtrics.com

Qualtrics has further committed to refer unresolved Privacy Shield complaints to the American Arbitration Association (AAA), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the AAA for more information or to file a complaint (contact details below). The services of the AAA are provided at no cost to you.

During the normal provisioning of the Qualtrics services, no data are transferred between geographical regions. All data are stored in a specific data center chosen by the customer/controller. If there is a case when personal data are transferred from the EU to the United States, it is solely for the purpose of processing as per instructions from the controller.

Qualtrics provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed.

Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.

Qualtrics self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Qualtrics is required to respond promptly to EU or Swiss individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles.

Under Privacy Shield, an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Qualtrics must respond to individual complaints within 45 days. For additional information, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction

Qualtrics’ Independent Dispute Resolution (IDR) Provider is:
American Arbitration Association
International Centre for Dispute Resolution
New York City, New York, USA
www.icdr.org

U.S. Department of Commerce:
https://www.commerce.gov/news/fact-sheets/2016/07/fact-sheet-overview-eu-us-privacy-shield-framework

Federal Trade Commission:
https://www.ftc.gov/news-events/press-releases/2016/02/statement-ftc-chairwoman-edith-ramirez-eu-us-privacy-shield-0

6. Qualtrics EU Data Silo

Qualtrics offers customers wishing to process all data in Europe the EU Data Silo option. The basis for this option is to keep all collected Data in an EU data center and provide all support from our Dublin, Ireland office. Please contact your Qualtrics account executive for more details.

7. List of Sub-processors

Presently, Qualtrics does not use sub-processors to process personal data in the Subscription Services.