This privacy statement explains how Qualtrics and our subsidiary Delighted (“Qualtrics”, “we”, “us”, “our”) handle personal data collected by us as a data controller during the normal course of business (sales, marketing, and support) (“Business Data”), as well as how Qualtrics as a data processor handles all information input into the Qualtrics software or generated on behalf of Customers in connection with the services (“Customer Data”). Qualtrics complies with the EU-U.S. Privacy Shield framework and the Swiss Privacy Shield framework. It retains the American Arbitration Association/International Centre for Dispute Resolution (AAA/ICDR) for disputes. For specific information about GDPR, please visit https://qualtrics.com/gdpr.
1. Qualtrics software and services
Qualtrics creates experience management software for corporations, research companies, government agencies, universities, and other organizations. The software is accessed using a modern browser via the Internet. Qualtrics products are self-service; Customers determine and are solely responsible for what and how Customer Data is collected. Customer Data may include data collected from respondents (“Respondents”).
Customer Data is stored in a single geographical region. Customer Data may be collected in numerous ways, including via email, a web link, or offline mobile app.
Qualtrics acts as a data processor with respect to Customer Data and processes this data as instructed by Customers, who are the data controllers.
2. Data collected during normal business transactions (unrelated to the software)
In the normal course of business, Qualtrics collects Business Data such as contact information (e.g. name, address, phone number, e-mail address, and employer) and payment details for Customers. We may also collect browsing data from individuals who visit the Qualtrics website. In these circumstances, Qualtrics acts as a data controller. Qualtrics also acts as a data controller with respect to client relationship management data. This is data that Qualtrics needs in order to provide services to Customers, including performing contractual obligations, engaging in marketing activities, and providing support services (e.g. processing and responding to Customer inquiries and requests).
We process Business Data in order to fulfill contractual obligations, based on the individual’s consent, or in accordance with our legitimate business interests in improving our services, software and website experiences for users. Where processing is based on consent, an individual may withdraw consent at any time by contacting us. Instructions for contacting us are provided below in Sections 4 and 5.
We retain personal data only for as long as necessary to fulfil the purposes of its collection, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of such personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
For the www.qualtrics.com site, Qualtrics collects and analyzes aggregate visitor information, including the domain name, visited surveys, referring URLs, and other publicly available information. We use this information to improve our website and services and to customize the content of our pages for each website visitor. Cookies may be used to deliver customized content to website visitors.
Qualtrics does not sell or make available Customer Data except as requested by a valid court order, search warrant, subpoena, or otherwise as agreed by the parties or required by law. We maintain a database of user information which is used for internal purposes such as technical support, marketing-related activities, and to notify Customers of changes or enhancements to the services. Qualtrics uses secure services for online credit card payment transactions and does not record or store credit card information on its site or servers. Qualtrics may share Business Data with third parties and shall remain responsible for such transfers.
3. Data collected by customers
Customers own, and are data controllers of, Customer Data. Depending on how the Customer chooses to use the software, Customer Data may include personal data or personal information. Customers manage all Customer Data, as well as the users who create, manage, distribute, or report the Customer Data. To the extent that Qualtrics processes Customer Data, Qualtrics does so as a data processor on behalf of Customers.
Qualtrics processes Customer Data on behalf of Customers in a manner consistent with this Privacy Statement. Each Customer, in its capacity as a data controller, may process Customer Data in other ways. Respondents should check the Customer’s own privacy statement to learn how the Customer intends to process Respondent-specific data that may be included in Customer Data. If a Respondent submits queries to Qualtrics or otherwise seeks to exercise rights under applicable data protection legislation, Qualtrics will forward these requests to the relevant Customer, as can be reasonably determined, in accordance with our contractual arrangements.
Qualtrics treats all Customer Data as highly confidential. All Customer Data is safeguarded using industry-best security practices to prevent unlawful disclosure.
Qualtrics processes Customer Data for the purpose of providing the software and services to Customers in accordance with the agreement with the Customer.
Qualtrics shall remain responsible for any transfers of Customer Data to third parties.
Access to Customer Data requires Customer consent, and exposure to personal information is incidental to providing the services. Customers have the ability to disable Qualtrics support from accessing Customer Data, but doing so may hinder timely responses and support quality.
4. Complaints and inquiries
Qualtrics is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and individuals may contact the FTC regarding services provided by Qualtrics.
Individuals may also complain to a relevant supervisory authority. The contact details for the Irish Data Protection Commission are as follows:
- Telephone: +353 578 684 800; or
- Online: https://forms.dataprotection.ie/contact
If a Respondent wishes to make a complaint or inquiry about personal data or personal information that may have been collected by a Customer using Qualtrics, such Respondent should contact the Customer. If a Respondent requires additional assistance, the Respondent may contact Qualtrics Support.
Inquiries regarding this Privacy Statement may be sent to Qualtrics Support by visiting https://www.qualtrics.com/support/ and clicking on “Contact Us” or by calling the number listed on the main www.qualtrics.com web site. Inquiries are free of charge.
Independent Recourse Mechanism: Any disputes are handled by the International Centre for Dispute Resolution (details below). Inquiries are free of charge.
5. Respondent Rights
In certain circumstances, individuals may have the following rights under data protection law in relation to personal data:
- A right to access personal data
- Rectification of inaccurate personal data
- Erasure of personal data
- Restriction of processing of personal data
- Right to data portability
- Right to object to processing of personal data
- Right to withdraw consent to processing of personal data
If a Respondent wishes to exercise rights in relation to personal data or personal information that may have been collected via Qualtrics, such Respondent should contact the Customer. If a Respondent requires additional assistance, the Respondent may contact Qualtrics Support.
If an individual wishes to exercise rights in relation to Business Data (for which Qualtrics acts a data controller), they should contact email@example.com.
6. Information related to Privacy Shield
For details about the Privacy Shield program: https://www.privacyshield.gov/
The key goals of Privacy Shield are to inform both EU and Swiss individuals about:
- the right of individuals to access their personal data
- the choices and means an organization offers individuals for limiting the use and disclosure of their personal data
- the requirement for an organization to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements
Qualtrics’ Privacy Shield self-certification does not cover human resources data.
Privacy Shield may provide individuals the right to (i) access the data that we hold about them, (ii) request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield, or (iii) limit the use and disclosure of their personal information. In compliance with the Privacy Shield Principles, Qualtrics commits to resolve complaints about our collection or use of personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Qualtrics at: firstname.lastname@example.org.
Qualtrics has further committed to refer unresolved Privacy Shield complaints to the American Arbitration Association (AAA), an alternative dispute resolution provider located in the United States. If an individual does not receive timely acknowledgment of its complaint from us, or if we have not addressed an individual’s complaint satisfactorily, such individual should contact the AAA for more information or to file a complaint (contact details below). The services of the AAA are provided at no cost.
Customer Data is stored in a specific geographical region chosen by the Customer. Where it is necessary to transfer personal data from the European Economic Area to the United States, it is solely for the purpose of processing as per instructions from the controller or to comply with applicable laws.
Qualtrics implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.
Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.
Qualtrics self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Qualtrics is required to respond promptly to EU or Swiss individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles.
Under Privacy Shield, an individual has the right, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Qualtrics must respond to individual complaints within 45 days. For additional information, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
Qualtrics’ Independent Dispute Resolution (IDR) Provider is:
American Arbitration Association
International Centre for Dispute Resolution
New York City, New York, USA
7. List of Sub-processors
Qualtrics currently uses the following sub-processors to process personal data in the Subscription Services.
|Purpose||Translation service (as requested by Customer)||Sentiment analysis (as requested by Customer)|