Updated February 21, 2020
This privacy statement explains how Qualtrics and our subsidiary Delighted (“Qualtrics”, “we”, “us”, “our”) handle personal data collected by us as a data controller during the normal course of business (sales, marketing, and support) (“Personal Data”), as well as how Qualtrics as a data processor handles all information input into the Qualtrics software or generated on behalf of Customers in connection with the services (“Customer Data”). Qualtrics complies with the EU-U.S. Privacy Shield framework and the Swiss Privacy Shield framework. It retains the American Arbitration Association/International Centre for Dispute Resolution (AAA/ICDR) for disputes. For specific information about GDPR, please visit https://qualtrics.com/gdpr.
1. Qualtrics software and services
Qualtrics creates experience management software for corporations, research companies, government agencies, universities, and other organizations. The software is accessed using a modern browser via the Internet. Qualtrics products are self-service; Customers determine and are solely responsible for what and how Customer Data is collected.? Customer Data may include data collected from respondents (“Respondents”).
Customer Data may be collected in numerous ways, including via email, a web link, or offline mobile app.
Qualtrics acts as a data processor with respect to Customer Data and processes this data as instructed by Customers, who are the data controllers.
2. Data collected during normal business transactions (unrelated to the software)
In the normal course of business, Qualtrics collects Personal Data such as contact information (e.g. name, address, phone number, e-mail address, and employer) and payment details for Customers. We may also collect browsing data from individuals who visit the Qualtrics website. In these circumstances, Qualtrics acts as a data controller. Qualtrics also acts as a data controller with respect to client relationship management data. This is data that Qualtrics needs in order to provide services to Customers, including performing contractual obligations, engaging in marketing activities, and providing support services (e.g. processing and responding to Customer inquiries and requests).
We process Personal Data in order to fulfil contractual obligations, based on the individual’s consent, or in accordance with our legitimate business interests in improving our services, software and website experiences for users.? Where processing is based on consent, an individual may withdraw consent at any time by contacting us. Instructions for contacting us are provided below in Sections 4 and 5.
We retain Personal Data only for as long as necessary to fulfil the purposes of its collection, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of such personal data, the purposes for which we process personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
For the www.baida30.com site, Qualtrics collects and analyzes aggregate visitor information, including the domain name, visited surveys, referring URLs, and other publicly available information. We use this information to improve our website and services and to customize the content of our pages for each website visitor.
We use the following cookies:
- Required Cookies. These cookies are required to enable core site functionality.
- Functional Cookies. These cookies allow us to analyze site usage so we can measure and improve performance.
- Targeting cookies. These cookies are used by advertising companies to serve ads that are relevant to your interests.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
In most cases Qualtrics collects Personal Data from you directly.? Qualtrics may also obtain Personal Data from other Affiliated Companies within SAP’s Group of undertakings or from third parties, if the applicable national law allows Qualtrics to do so.? Qualtrics will treat this Personal Data according to this Privacy Statement, plus any additional restrictions imposed by the third party that provided Qualtrics with it or the applicable national law.? These third-party sources include Qualtrics business dealings with your employer and/or third parties you directed to share your Personal Data with Qualtrics.
Qualtrics may transfer your Personal Data to other Affiliated Companies within of undertakings for the purpose to inform you about their latest products, service offers and events in the same way Qualtrics does under this Privacy Statements.? In such cases, the SAP Groups will use the Personal Data for the same purposes and under the same conditions as set forth in this Privacy Statement.
As part of a global group of companies, Qualtrics has affiliates and third-party service providers within as well as outside of the European Economic Area (the “EEA”). As a consequence, whenever Qualtrics is using or otherwise processing your Personal Data for the purposes set out in this Privacy Statement, Qualtrics may transfer your Personal Data to countries outside of the EEA including to such countries in which a statutory level of data protection applies that is not comparable to the level of data protection within the EEA. Whenever such transfer occurs, it is based on the Standard Contractual Clauses (according to EU Commission Decision 87/2010/EC or any future replacement) in order to contractually provide that your Personal Data is subject to a level of data protection that applies within the EEA.
We maintain a database of user information which is used for internal purposes such as technical support, marketing-related activities, and to notify Customers of changes or enhancements to the services. Qualtrics uses secure services for online credit card payment transactions and does not record or store credit card information on its site or servers. Qualtrics may share Personal Data with third parties and shall remain responsible for such transfers.
Qualtrics does not sell Personal Data.
Your personal data may be passed on to third parties including companies within the SAP group; vicarious agents or service providers for purposes of processing and providing services to Qualtrics; and/or state agencies and bodies, e.g., based on entry requirements or police activities and investigations.
3. Data collected by customers
Customers own, and are data controllers of, Customer Data. Depending on how the Customer chooses to use the software, Customer Data may include personal data or personal information. Customers manage all Customer Data, as well as the users who create, manage, distribute, or report the Customer Data. To the extent that Qualtrics processes Customer Data, Qualtrics does so as a data processor on behalf of Customers.
Qualtrics processes Customer Data on behalf of Customers in a manner consistent with this Privacy Statement. Each Customer, in its capacity as a data controller, may process Customer Data in other ways. Respondents should check the Customer’s own privacy statement to learn how the Customer intends to process Respondent-specific data that may be included in Customer Data. If a Respondent submits queries to Qualtrics or otherwise seeks to exercise rights under applicable data protection legislation, Qualtrics will forward these requests to the relevant Customer, as can be reasonably determined, in accordance with our contractual arrangements.
Qualtrics treats all Customer Data as highly confidential. All Customer Data is safeguarded using industry-best security practices to prevent unlawful disclosure.? Qualtrics does not sell or make available Customer Data except as requested by a valid court order, search warrant, subpoena, or otherwise as agreed by the parties or required by law.
Qualtrics is FedRamp Authorized. FedRAMP is the gold standard of U.S. government security compliance, with over 300 controls based on the highly-regarded NIST 800-53 that requires constant monitoring and periodic independent assessments. More information is found at https://www.fedramp.gov
Qualtrics is now ISO 27001 certified. More information is at our security statement https://qualtrics.com/security-statement
Qualtrics processes Customer Data for the purpose of providing the software and services to Customers in accordance with the agreement with the Customer.
Qualtrics shall remain responsible for any transfers of Customer Data to third parties.
Qualtrics enables Customers to comply with various privacy-related regulations and laws. Features within the products may be used to modify and delete data, create anonymous surveys, and more. For details, please visit https://qualtrics.com/support/survey-platform/getting-started/qualtrics-gdpr-compliance/
Access to Customer Data requires Customer consent, and exposure to personal information is incidental to providing the services. Customers have the ability to disable Qualtrics support from accessing Customer Data, but doing so may hinder timely responses and support quality.
4. Complaints and inquiries
Qualtrics is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), and individuals may contact the FTC regarding services provided by Qualtrics.
Individuals may also complain to a relevant supervisory authority. The contact details for the Irish Data Protection Commission are as follows:
- Telephone: +353 578 684 800; or
- Online: https://forms.dataprotection.ie/contact.
If a Respondent wishes to make a complaint or inquiry about personal data or personal information that may have been collected by a Customer using Qualtrics, such Respondent should contact the Customer. If a Respondent requires additional assistance, the Respondent may contact Qualtrics Support.
Inquiries regarding this Privacy Statement may be sent to Qualtrics Support by visiting http://www.baida30.com/support/ and clicking on “Contact Us”.
Independent Recourse Mechanism: Any disputes are handled by the International Centre for Dispute Resolution (details below). Inquiries are free of charge.
5. Data subject rights
In certain circumstances, individuals may have the following rights under data protection law in relation to personal data:
- A right to access personal data that Qualtrics collects, uses, discloses, or sells (if applicable) about you
- Rectification of inaccurate personal data
- Erasure of personal data
- Restriction of processing of personal data
- Right to data portability
- Right to object to processing of personal data
- Right to withdraw consent to processing of personal data
- Right to opt-out of the sale of Personal Data, if applicable
- Right to non-discriminatory treatment for exercise of data protection rights
If a Respondent wishes to exercise rights in relation to personal data or personal information that may have been collected by a Customer via Qualtrics, such Respondent should contact the Customer. If a Respondent requires additional assistance, the Respondent may contact Qualtrics Support.
If you wish to exercise rights in relation to Personal Data for which Qualtrics acts a data controller, you should contact firstname.lastname@example.org.? If you are located in the State of California, you may also call toll-free using the numbers provided here.? Please note, however, that Qualtrics can or will delete your Personal Data only if there is no statutory obligation or prevailing right of Qualtrics to retain it.? Note further that if you request that Qualtrics deletes your Personal Data, you will not be able to continue to use any Qualtrics service that requires Qualtrics’ use of your Personal Data.
Qualtrics will take steps to ensure that it verifies your identity to a reasonable degree of certainty before it will process the data protection rights you want to exercise.? When feasible, Qualtrics will match Personal Data provided by you in submitting a request to exercise your rights with information already maintained by Qualtrics.? This could include matching two or more data points you provide when you submit your request with two or more data points that are already maintained by us.
In accordance with the verification process set forth in the California Consumer Privacy Act (“CCPA”), Qualtrics will require a more stringent verification process for deletion requests, or for Personal Data that is considered sensitive or valuable, to minimize the harm that might be posed to you by unauthorized access or deletion of your Personal Data.? If Qualtrics must request additional information from you outside of information that is already maintained by Qualtrics, Qualtrics will only use it for the purposes of verifying your identity so you can exercise your data protection rights, or for security and fraud-prevention purposes.
Qualtrics will decline to process requests that are manifestly unfounded, excessive, fraudulent, or are not otherwise required by local law
6. Information related to Privacy Shield
For details about the Privacy Shield program: https://www.privacyshield.gov/
The key goals of Privacy Shield are to inform both EU and Swiss individuals about:
- the right of individuals to access their personal data
- the choices and means an organization offers individuals for limiting the use and disclosure of their personal data
- the requirement for an organization to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements
Qualtrics’ Privacy Shield self-certification does not cover human resources data.
Privacy Shield may provide individuals the right to (i) access the data that we hold about them, (ii) request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield, or (iii) limit the use and disclosure of their personal information. In compliance with the Privacy Shield Principles, Qualtrics commits to resolve complaints about our collection or use of personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Qualtrics at: email@example.com.
Qualtrics has further committed to refer unresolved Privacy Shield complaints to the American Arbitration Association (AAA), an alternative dispute resolution provider located in the United States. If an individual does not receive timely acknowledgment of its complaint from us, or if we have not addressed an individual’s complaint satisfactorily, such individual should contact the AAA for more information or to file a complaint (contact details below). The services of the AAA are provided at no cost.
Customer Data is stored in a specific geographical region chosen by the Customer. Where it is necessary to transfer personal data from the European Economic Area to the United States, it is solely for the purpose of processing as per instructions from the controller or to comply with applicable laws.
Qualtrics implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access.
Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.
Qualtrics self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Qualtrics is required to respond promptly to EU or Swiss individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles.
Under Privacy Shield, an individual has the right, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Qualtrics must respond to individual complaints within 45 days. For additional information, visit: https://www.privacyshield.gov/article?id=ANNEX-I-introduction
Qualtrics’ Independent Dispute Resolution (IDR) Provider is:
American Arbitration Association
International Centre for Dispute Resolution
New York City, New York, USA
7. List of Sub-processors
Qualtrics currently uses the following sub-processors to process personal data in the Subscription Services.
|Amazon Web Services||410 Terry Avenue North, Seattle, WA 98109-5210||Data hosting facilities||Yes|
Cambridge, MA 02142 USA
|Content delivery network and web application firewall for our web services||Yes|
|Cloudflare||101 Townsend Street
San Francisco, California 94107
|Content delivery network and web application firewall for our web services||Yes|
|Google, LLC||1600 Amphitheatre Parkway Mountain View, CA 94043 United States||Translation service
|Optional as requested by Customer|
|Imperium||164 Kings Highway North
Westport, Connecticut 06880, USA
|Improves fraud detection (“ballot stuffing”) by assessing respondent metadata to determine the likelihood that the same respondent is answering repeatedly||Optional as requested by Customer|
|Twilio||375 Beale St, Suite 300,
San Francisco, CA 94105, USA
|Enables users to send surveys via SMS||Optional as requested by Customer|
|Survata||642 Harrison Street,
San Francisco, CA, 94107, USA
|White-labelled partnership. Customer may choose to launch a digital brand lift solution in Qualtrics and view reports in Qualtrics. The study itself will run on the Survata platform and this is transparent to the user.||Optional as requested by Customer|
|Pinpoint (Voice iQ)||2200 Powell Street, #1010
Emeryville, CA 94608
|Speech-to-text transcription services||Optional as requested by Customer|
|Burst||Suite 2, Level 10, 60 Carrington Street,
Sydney NSW 2000
|Enables users to send surveys via SMS (New Zealand only)||Optional as requested by Customer|
|B3||503-100 Sheppard Avenue East,
Toronto ON M2N6N5
|Data scrubbing services (available via Research Services only)||Optional as requested by Customer|
Qualtrics currently uses the following affiliates to process personal data, and may be acting as subprocessors in the delivery of the Cloud Service, and associated support services:
- QAL Technologies Pty Ltd – Suite 21.04, Grosvenor Place, 225 George Street, Sydney,New South Wales, 2000
- QCL Technologies Ltd. – 333 Bay Street Toronto ON M5H 2S
- QDL Technologies GmbH – QDL Technologies GmbH, c/o wework, Oskar-von-Miller-Ring 20, 80333 München
- QFL Technologies SARL – 4 rue de Marivaux, 75002 Paris
- QIL Technologies Limited – One Clarendon Row, Dublin 2
- QPL Technologies sp. z o.o. – ul. Mokotowska, no. 1, Warsaw, 00-640, Poland
- QSL Technologies Pte. Ltd. – Room 736, Level 7 (Regus), 8 Marina View, Asia Square Tower 1, Singapore 018960
- Qualtrics Japan LLC (formerly QJL Technologies G.K.) – Maraunouchi Kitaguchi Building 9F, 1-6-5 Marunouchi, Chiyoda-ku, Tokyo 100-0005
- Qualtrics Sweden AB – c/o United Spaces, Klarabergsviadukten 63, 111 64 Stockholm, Sweden
- QUL Technologies Limited – 5 New Street Square, London, United Kingdom, EC4A 3TW
- Qualtrics Technologies Spain, S.L.U. – Paseo de la Castellana, 200 28046, Madrid, Espa?a