Privacy Statement

Updated May 3, 2018

This privacy statement explains how Qualtrics handles personal data collected during the normal course of business (sales, marketing, and support), as well as how data are processed in its software and services. Qualtrics complies with the EU-U.S. Privacy Shield framework and the Swiss Privacy Shield framework. It retains the American Arbitration Association/International Centre for Dispute Resolution (AAA/ICDR) for disputes. For specific information about GDPR, please visit

1. Qualtrics software and services

Qualtrics creates the most advanced online survey software for corporations, research companies, and universities. The software is provided in an Application Service Provider (ASP) model, accessed using a modern browser via the Internet. All of Qualtrics products are self-service, whereby the end-users are solely responsible for what data to collect and from whom. Survey respondents may use mobile devices to complete a survey.

All customer data collected using the software are stored in a single secure data center; data do not “float” around in the cloud.

Surveys may be distributed in numerous ways: via email, a web link, or off-line mobile app. Surveys may require a password or other authentication by the respondent.

2. Data collected during normal business transactions (unrelated to the software)

For the site: Qualtrics collects and analyzes aggregate information of visitors, including the domain name, visited surveys, referring URLs, and other publicly available information. We use this information to help improve our website and services, and to customize the content of our pages for each individual customer. Cookies may be used to deliver customized content to website visitors. No personal data are collected when browsing this site.

Qualtrics does not sell or make available specific information about our customers or their clients except as requested by a valid court order or otherwise required by law. We maintain a database of user information which is used only for internal purposes such as technical support, marketing-related activities, and to notify customers of changes or enhancements to the services. Qualtrics uses secure services for online credit card payment transactions, and does not record or store credit card information on its site or servers.

3. Data collected by customers

For this section, customers are end-users with valid Qualtrics accounts. Customers own and control all information input into the Qualtrics software or generated on behalf of customers in connection with the Services (“Data”). Depending on how the Customer chooses to use the software, Data may include personal information. Customers manage all Data, as well as the users who create, manage, distribute, or report the Data.

Qualtrics treats all Data as highly confidential and does not classify or represent the Data because only the Customer itself knows what data it’s collecting. In other words, Qualtrics provides the services, and Customers use the services as they wish. All Data are safeguarded using industry best security practices that prevent unlawful disclosure.

Qualtrics is FedRamp Authorized. FedRAMP is the gold standard of U.S. government security compliance, with over 300 controls based on the highly-regarded NIST 800-53 that requires constant monitoring and periodic independent assessments. More information is found at
Qualtrics is now ISO 27001 certified. More information is at our security statement

Qualtrics will process Data for the purpose of providing the software and services to customers. Qualtrics may also anonymize and aggregate the Data and use such anonymized and aggregated data for its business purposes. Customers must ensure that they follow applicable laws when distributing surveys. This includes following applicable law when collecting personal and health information, preventing unsolicited emails from being sent, and deleting personal information when no longer required.

Unless required by law, Qualtrics will never transfer Data to a third-party without the written permission of the customer. In other words, there is no onward transfer.

Qualtrics enables Customers to be compliant with various privacy-related regulations and laws. Features within the products may be used to modify and delete data, create anonymous surveys, and more. For details, please visit

Qualtrics employees do not actively view Data. Any access to Customer accounts requires consent by the end-user, and any exposure to personal information is incidental to providing the services. Customers have the ability to disable Qualtrics support from accessing their accounts, but doing so may hinder timely responses and the quality of support.

4. Complaints and inquiries

Qualtrics is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and individuals have a right to contact the FTC regarding services provided by Qualtrics.

If you are an EU or Swiss citizen, and have questions about your personal information that may have been collected in a Qualtrics survey, please contact the entity that created or sent you the survey. Data collected and only processes Data as controlled by the customer. If the survey creator is unresponsive to your inquiry, please contact Qualtrics Support.

General inquiries regarding this policy, or any complaints regarding surveys that are unresolved by the survey creator, may be sent to Qualtrics Support by visiting and clicking on “Contact Us” or by calling the number listed on the main web site. There is no charge for this inquiry.

Qualtrics has a team of legal and technical staff to maintain compliance with this policy. For legal inquiries, please contact:

Independent Recourse Mechanism: Any disputes are handled by the International Centre for Dispute Resolution (details below). Inquiries are free of charge.

5. Information related to Privacy Shield

For details about the Privacy Shield program:

Qualtrics complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. Qualtrics has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

The key goals of Privacy Shield are to inform both EU and Swiss individuals about:

  • the right of individuals to access their personal data
  • the choices and means your organization offers individuals for limiting the use and disclosure of their personal data
  • the requirement for your organization to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements

Qualtrics’ Privacy Shield self-certification does not cover human resources data.

In compliance with the Privacy Shield Principles, Qualtrics commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Qualtrics at:

Qualtrics has further committed to refer unresolved Privacy Shield complaints to the American Arbitration Association (AAA), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the AAA for more information or to file a complaint (contact details below). The services of the AAA are provided at no cost to you.

During the normal provisioning of the Qualtrics services, no data are transferred between geographical regions. All data are stored in a specific data center chosen by the customer/controller. If there is a case when personal data are transferred from the EU to the United States, it is solely for the purpose of processing as per instructions from the controller.

Qualtrics provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and understands whether onward transfer is allowed.

Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.

Qualtrics self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Qualtrics is required to respond promptly to EU or Swiss individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles.

Under Privacy Shield, an individual has the right, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Qualtrics must respond to individual complaints within 45 days. For additional information, visit:

Qualtrics’ Independent Dispute Resolution (IDR) Provider is:
American Arbitration Association
International Centre for Dispute Resolution
New York City, New York, USA

U.S. Department of Commerce:

Federal Trade Commission:

6. List of Sub-processors

Presently, Qualtrics uses the following sub-processors for optional services to process personal data in the Subscription Services. There is no requirement to use these optional services when using the Qualtrics Services.

Subprocessor Google, LLC
Function Translation service (manually controlled by user)