At UserTesting, your privacy is important to us. This Privacy Policy describes the personal data that User Testing, Inc., Teston AS and group companies (collectively referred to as “the company,” “we,” “our” and “us”) processes. This Privacy Policy also explains how we process personal data and for what purposes.
Summary of Key Points
- This Privacy Policy explains when we process Personal Data for our legitimate business interests. For more information on how to access and control your data, please see the “How you can control your data” section.
- We use cookies and other technologies to track the use of our websites and apps. To learn about opportunities to choose not to allow cookies, please see our Cookies section here.
- We do not sell your data.
- We transfer personal information to the US, which may be outside the country in which you live. To help protect your personal information, we comply with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom and Switzerland, as applicable, to the United States. You can read more about Privacy Shield here.
- We comply with the GDPR and other applicable EU privacy laws. If you are a resident of the European Economic Area, please see the GDPR Notice that applies to you.
- We comply with the CCPA. If you are a resident of California, please see the that CCPA Notice applies to you.
Who we are
We provide websites (“Sites”) where visitors and other members of our community (“Visitors”) may learn about our offerings, view Site materials and/or access a platform (“Platform”) and related services (“Services”) that enable (i) businesses, including current and prospective customers (collectively “Customers”) to solicit feedback (“Tests”) on any brand, design, content or current or potential offering and (ii) individuals taking part in such Tests (“Participants”) to perform and record Tests. In connection with the Site, Platform and Services, UserTesting may collect, record and analyze information about Visitors, including its Customers and Participants, which may include individually identifiable information that would allow UserTesting to determine the actual identity of, and contact, a specific individual, billing information, account settings and other data (“Personal Data”).
How we collect and use your data
How we collect Personal Data depends on how and why you use the Sites, Platforms and/or Services.
We collect Personal Data directly when you submit it to us, as a Visitor, Participant or Customer, as well as indirectly, such as through the use of automated technologies or from third parties. To help keep our databases current and to provide you the most relevant content and experiences, we may combine information provided by you with information from third party sources, in accordance with applicable law. For example, the size, industry, and other information about the company you work for (where you have provided company name) may be obtained from sources including, professional networking sites and information service providers. We provide more information about how we collect Personal Data in the sections below.
UserTesting uses your Personal Data for the purposes listed below. We refer to this list as the list of “legitimate business purposes”.
Legitimate business purposes include the following:
- to provide you access to and use of the Services, including registering as a Customer or a Participant,
- to deliver Services to our Customers, including Recordings created by Participants,
- to improve and enhance your experience with the Services, including the content and general administration of the Services,
- to retain records as may be required for tax, legal and financial purposes,
- to understand how you access, use and interact with the Services in order to provide technical functionality, develop new products and services, and analyze your use of the Services,
- to communicate with you,
- to provide you with customer support in connection with your use of the Services,
- to detect fraud, illegal activities or security breaches,
- to receive and make payments,
- to provide information to regulatory bodies when legally required
In the sections below, we are more specific about the purposes for which we use each category of data.
Data provided by our Visitors (“Visitor Data”)
When Visitors use or browse our Site, we collect their IP addresses and usage information such as page views, clicks and browser type.
If a Visitor submits a request for a trial on our Site, chats with us for support, requests to watch a webinar, subscribes to our blog or other news, submits a request through our Contact Us form, requests to download a whitepaper or other content, we may also collect the Visitor’s:
- Name;
- Title;
- Email;
- Phone number;
- Company name;
- Country;
- IP address.
We use this Visitor Data to respond to the Visitor’s requests, provide the Visitor with the information or materials requested, including without limitation marketing materials, newsletters and other related content, perform analytics on how the Site, Platform and Services are used, and improve the use of the Site, Platform or Services.
Data provided by our Participants (“Participant Data”)
Account Data
When a Participant creates an account with UserTesting, we will collect the Participant’s name, username and password, zip code, and email address.
We may also ask each Participant to provide us with additional information necessary or helpful for UserTesting to be able to determine which Tests are best directed to that Participant. Examples of information we may collect are: birth year; gender; household income range; country; web expertise; presence of children (including gender and birth years); employment status, industry; company size; job role seniority; gaming genres; web browsers; social networks; languages spoken; race, ethnicity, sexual orientation and other sensitive personal data, which may be provided on a voluntary basis and only collected as permitted by applicable law; devices owned (e.g. computer, smartphone, tablet); and computer operating system.
UserTesting uses Participant Account Data to provide and improve its Services, pay Participants, provide information on how to use our Platform and Services to our Participants, and for other legitimate business purposes.
Recordings
As a Participant conducts a Test, we make a recording of the Participant’s activities, which may include recordings of the Participant’s voice, video, face, movements, screen, text inputs and device and screen interactions (“Recordings”).
Intellectual property rights in Recordings, which may include personal data, are assigned by Participants to UserTesting under the terms of the Participant Terms of Service in consideration for Participants’ use of the Platform and Services.
UserTesting uses Recordings to provide Services to Customers, to market its products and services, to protect against fraudulent or illegal activity and to improve the UserTesting Platform and Services.
Data provided by our Customers (“Customer Data”)
During a Customer’s use of the Platform and Services, Customers are asked to provide information such as name and contact information, including email address, address, telephone or other relevant Personal Data.
Customer Data is used by UserTesting to identify each Customer and provide them with access to the Platform and Services, to bill Customers, and to meet UserTesting’s contractual obligations. We also use Customer Data to improve our Platform and Services and to provide Customers with notices about improvements and best practices in using the Platform and Services.
It is the Customer’s responsibility to ensure that collection and processing of Recordings from a Test it has created is handled in accordance with applicable law. For Customers in the EEA, please see our GDPR Notice . For Customers in California, please see our CCPA Notice.
Personal Data Collected Indirectly
Tracking Data, IP Addresses and Device Fingerprints
UserTesting tracks whether a Visitor lands on the UserTesting Site from an external source (such as a link on another website or in an email) as well as IP addresses from which the site is accessed and information about the computing device (fingerprint) used to access the site. UserTesting uses this information to improve the Site, Platform and Services as well as to prevent fraud and secure information.
Information from Third Parties
UserTesting collects Personal Data and other data from third parties that provide us with lists of potential Customers and their contact information, if such potential Customers give permission to those third parties to share their information with us. UserTesting uses this information for its own marketing purposes.
Cookies
UserTesting uses cookies and page tags on the Site, Platform and Services. Cookies are small bits of data we store on the device that you use to access our Site, Platform and Services so we can recognize repeat users. Depending on our use, certain cookies expire after a certain period of time. Some cookies will remain on a computer’s hard drive until they are deleted manually using browser or operating system software.
Visitors have the ability to accept or decline cookies that are not strictly necessary. Most web browsers automatically accept cookies, but individuals can usually modify browser settings to decline cookies. More information about disabling cookies is available at www.allaboutcookies.org. Choosing to decline certain cookies may result in decreased functionality on UserTesting Site, Platform and Services.
“Do Not Track”
UserTesting’s Site, Platform and Services may not respond to Do Not Track (“DNT”) signals. For more information on DNT settings generally, please visit https://allaboutdnt.com/.
We collect data when you communicate with us
If you communicate with us directly, we will collect any Personal Data contained in such communications.
Automated decision making
UserTesting may use automated decision making using a variety of signals derived from account activity to help identify and suspend accounts sending spam or engaged in other abusive or fraudulent activity or who have not engaged with the us for an extended period of time. Holders of accounts suspended under these circumstances are notified of the suspension and given an opportunity to request human review of the suspension decision.
How we share your personal data
Data Processors and Subprocessors
UserTesting discloses users’ information to our third-party agents, contractors, or service providers who are hired to perform services on our behalf. These providers may operate or support certain functions of the Services, and in some cases collect information directly. Below is an illustrative list of functions for which we may use third-party service providers:
- Analytics services, such as DataDog and NewRelic
- Customer support services, such as ZenDesk and Intercom
- Billing services and payment gateway providers, such as PayPal
- Hosting and content delivery network services, such as AWS and Google Cloud Platform
- Job application/fielding service providers, such as Greenhouse and Homerun.
Unless you and the company have agreed otherwise, we generally do not directly collect your payment information and we do not store your payment information. We use a third-party payment processor, such as PayPal, which collects payment information on our behalf in order to complete transactions such as to pay Participants. While our administrators are able to view and track actual transactions via the third-party payment processor customer portal, with the exception of the last 4 digits of your credit card, credit card type, zip code and expiration date, we do not have access to or process your credit card information.
Business Transfers
As we continue to grow, we may purchase websites, applications, subsidiaries, other businesses or business units. We may share your data amongst our corporate group companies. Alternatively, we may sell businesses or business units, merge with other entities and/or sell assets or stock, in some cases as part of a reorganization or liquidation in bankruptcy. As part of these transactions, we may transfer your Personal Data to a successor entity upon a merger, consolidation or other corporate reorganization in which UserTesting participates, or to a purchaser or acquirer of all or a portion of UserTesting’s assets, bankruptcy included.
Legal Obligations and Security
We will preserve or disclose your Personal Data in limited circumstances (other than as set forth in this Privacy Policy), including: (i) with your consent; (ii) when we have a good faith belief it is required by law, such as pursuant to a subpoena, warrant or other judicial or administrative order (as further explained below); (iii) to protect the safety of any person; to protect the safety or security of our Services or to prevent spam, abuse, or other malicious activity of actors with respect to the Services; or (iv) to protect our rights or property or the rights or property of those who use the Services.
If we are required to disclose Personal Data by law, such as pursuant to a subpoena, warrant or other judicial or administrative order, our policy is to respond to requests that are properly issued by law enforcement within the United States or via mutual legal assistance mechanism (such as a treaty).
Note that if we receive information that provides us with a good faith belief that there is an exigent emergency involving the danger of death or serious physical injury to a person, we may provide information to law enforcement trying to prevent or mitigate the danger (if we have it), to be determined on a case-by-case basis.
How we store your data
Retention
We retain your data in accordance with your instructions, including your agreement to applicable terms of service and your use of the Platform and Services. We also retain Personal Data we collect from you where we have an ongoing legitimate business purpose for doing so. Additionally, we cannot delete information when it is needed for the establishment, exercise or defense of legal claims (also known as a “litigation hold”). In this case, the information must be retained as long as needed for exercising respective potential legal claims.
When we have no ongoing legitimate business purpose to process your personal information, we will either delete or anonymize it. If this is not possible (for example, because your Personal Data has been stored in backup archives), we will securely store your Personal Data and isolate it from any further processing until deletion is possible.
We use the following criteria to determine our retention periods: the amount, nature and sensitivity of your information, the reasons for which we collect and process your Personal Data, the length of time we have an ongoing relationship with you and provide you with access to our Services, and applicable legal requirements.
If you have questions about, or need further information concerning, our data retention periods, please send an email at privacy-request@usertesting.com.
Deletion
If you ask UserTesting to delete specific personal information that forms part of your Visitor Data, Participant Data or Customer Data, and for which we are the data controller, we will honor this request unless deleting that information prevents us from carrying out necessary business functions, like delivering and billing for our services, calculating taxes, or conducting required audits.
Generally, if Personal Data can no longer be retained or is no longer necessary, it will be deleted within a reasonable period of time.
Additional Rights
If you are an individual in the EEA or a California resident, please see the relevant GDRP Notice and CCPA Notice with respect to exercising your right to deletion.
Data protection (aka privacy) law in certain jurisdictions, like the European Economic Area (EEA), differentiate between “controllers” and “processors” of personal information. A controller decides why and how to process personal information. A processor processes personal information on behalf of a controller based on the controller’s instructions.
When UserTesting processes Visitor Data, Participant Data, and Customer Data, we generally act as a controller in most respects but may act as a processor in certain respects.
How you can control your data
Visitors, Participants and Customers who wish to request access to or correction of Personal Data for which UserTesting is the data controller should contact UserTesting at privacy-request@usertesting.com. Where UserTesting is the data processor or subprocessor of your Personal Data, Visitors, Participants or Customers should contact the relevant data controller to request access to or correction of that Personal Data.
Individuals located in the EEA or residents of California have additional rights as set forth in our relevant GDPR Notice and CCPA Notice.
How we keep your data safe
UserTesting has a data protection officer (“Data Protection Officer”) who is responsible for UserTesting’s compliance with and enforcement of this Privacy Policy. The Data Protection Officer is available to answer questions from any employees, Visitors, Customers, Participants, business partners, vendors, or others who may have questions concerning this Privacy Policy or UserTesting’s data security practices. UserTesting’s Data Protection Officer may be contacted at: data-protection-officer@usertesting.com.
Security
UserTesting cannot ensure or warrant the security of any information transmitted to UserTesting. All transmissions of information are done at the senders own risk. Once UserTesting is in possession of any information, UserTesting will make reasonable efforts to ensure the security of its systems.
Your personal information and files are stored on UserTesting’s servers and the servers of companies we hire to provide services to us.
UserTesting has adopted physical, technological, and administrative procedures designed to safeguard and secure the information we process. By using this Site, Platform or Services or by providing Personal Data to us, you agree that we can communicate with you electronically regarding security, privacy, and administrative issues relating to your use of this Site, Platform or Services.
Privacy Shield
UserTesting complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. UserTesting has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/. To see a more detailed description about our participation with Privacy Shield, please see the Privacy Shield section in our GDPR Notice.
The Privacy Shield program applies to the processing of Personal Data in regards to the collection, use and retention of Personal Data from visitors, participants and customer employees located in Switzerland and the European Union and European Economic Area, as set out by the U.S. Department of Commerce. UserTesting is responsible for the processing of Personal Data it receives and subsequently transfers to a third party acting as an agent on its behalf under the Privacy Shield Framework. User Testing complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
UserTesting is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
User Testing encourages you to contact our Head of Privacy and Security at privacy-request@usertesting.com should have any Privacy Shield-related (or general privacy-related) complaint. As part of our participation in the Privacy Shield program, we will resolve disputes you have with us in connection with our policies and practices through JAMS ADR. For more information and to contact JAMS ADR directly, visit https://www.jamsadr.com/eu-us-privacy-shield. As a last resort and in limited situations, Swiss and EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
You also have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement. You can find the relevant supervisory authority name and contact details by visiting https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en.
GDPR- General Data Protection Regulation
If you are located in the European Economic Area (“EEA”), this entire Privacy Policy applies to you as well as the GDPR Notice.
CCPA- California Consumer Privacy Act
If you are a resident of California, this entire Privacy Policy applies to you as well as the CCPA Notice.
Nevada Residents
If you are a resident of Nevada, this entire Privacy Policy applies to you as well as the following. You may direct a business that operates an internet website not to sell certain personal information a business has collected or will collect about you.
UserTesting does not sell your personal information pursuant to the definitions under the Nevada law.
Acceptance
You agree that you have carefully read this document and agree to its contents. If you choose not to agree with this Privacy Policy, then you should refrain from using the Site, Services, and Platform.
UserTesting reserves the right to change our Privacy Policy as necessary. Continued use of the UserTesting Site, Platform and Services after having been presented with any such a revised Privacy Policy indicates acceptance of the revised Privacy Policy. If we make material changes to this Privacy Policy, we will provide notice to you of these changes and, where required by applicable law, we will obtain your consent. Notice may be by email to you, by posting a notice of such changes on our apps and websites, or by other means consistent with applicable law.
