GDPR Notice
This GDPR Notice will inform you of our legal bases for processing your Personal Data, onward transfers of your Personal Data and which additional rights you have regarding the processing of your Personal Data.
UserTesting processes Personal Data both as a Processor and as a Controller (as defined in the European Union’s General Data Protection Regulation (“GDPR”)) as follows:
- UserTesting is the Controller of Customer Account Data and Contributor Account Data, as well as Recording Data for Tests developed by UserTesting.
- With respect to Session and Recording Data collected during Customer’s utilization of the Platform and Services, the Customer is the Controller in accordance with GDPR and UserTesting is the Processor. Customer does not see the Session and Recording Data as correlated to any other Contributor Account Data.
Categories of Recipients of Personal Data
The categories of recipients of Personal Data with whom we may share your personal data are listed in the How we share your personal data section of the UserTesting Privacy Policy.
Purposes of Processing and Legal Bases
UserTesting uses your Personal Data for a number of different purposes, as explained the UserTesting Privacy Policy. Some are essential for us to provide the Site, Platform, and Services you use or to fulfill our legal obligations. Some help us run Site, Platform, and Services efficiently and effectively and some enable us to provide you with more relevant and personalized offers and information. In all cases we have a Legitimate Business Purpose and a legal ground for processing your Personal Data. Some of the most common legal grounds we rely on are briefly explained below:
- Performance of a Contract: we may process your Personal Data for the purposes of a contract to which you are a party, in other words your ability to use the Platform or Services. For instance, if you want to be a Contributor, we need to process your Personal Data, including your payment information, in order to enable you to do so and to pay you.
- Legitimate Business Purposes: we may process Personal Data where it is necessary for our legitimate business interests as listed in the User Testing Privacy Policy, but only to the extent that they are not outweighed by your own interests or fundamental rights and freedoms. When we rely on these legal bases, we will carry out a legitimate interest assessment to ensure we consider and balance any potential impact on you (both positive and negative), and your rights under applicable data protection laws.
- Consent: UserTesting may rely on consent where it is required, such as with respect to Recording Data being accessible to Customers and certain information collected via cookies and similar technologies (other than strictly necessary cookies), or when we are asking you to confirm your marketing preferences. When we rely on consent, you’ll be asked to confirm that you give your permission to UserTesting to process your Personal Data. Details of the processing, such as why UserTesting would like to process your data, how it will be used and if your Personal Data will be shared, will be provided at the time of asking you for your consent. You have the right to withdraw your consent at any time if you no longer wish to have UserTesting process your Personal Data.
- Legal Obligation: UserTesting will on occasion be under a legal obligation to obtain and disclose your Personal Data. Where possible, we will notify you when processing your data due to a legal obligation, however this may not always be possible. For instance, UserTesting may need to provide your data in order to prevent criminal activity or help to detect criminal activity, in which case we may share information with law enforcement. This is done in a safe and secure manner. It’s essential that UserTesting complies with its legal, regulatory and contractual requirements, so if you object to this processing, UserTesting will not be able to provide its Services to you.
The following table illustrates in more detail how the above legal bases for processing may apply to our primary purposes for processing different types of Personal Data:
Purpose of Processing |
Type of Personal Data Used for Purpose |
Legal Basis |
To provide you access to and use of the Platform or Services, including registering as a Customer or a Contributor |
Contributor Account Data Customer Account Data |
Performance of a Contract |
To improve and enhance your experience with the Services, including the content and general administration of the Services. |
Visitor Data |
Legitimate Business Purpose |
To retain records as may be required for tax, legal and financial purposes. |
Only such information as may be required |
Compliance with a Legal Obligation |
To understand how you access, use and interact with the Services in order to provide technical functionality, develop new products and services, and analyze your use of the Services. |
Visitor Data Tracking Data |
Legitimate Business Purpose |
To communicate with you. |
Visitor Data Customer Account Data Information from Third Parties |
Performance of a Contract Legitimate Business Purpose |
To provide you with customer support in connection with your use of the Services. |
Customer Account Data Contributor Account Data |
Performance of a Contract |
To detect fraud, illegal activities or security breaches. |
Only such information as may be required |
Legitimate Business Purpose, but in some cases the processing may be required for Compliance with a Legal Obligation |
To receive and make payments. |
Contributor Account Data |
Performance of a Contract |
To provide information to regulatory bodies when legally required, and only as outlined in this Privacy Policy. |
Only such information as may be required |
Legitimate Business Purpose, but in some cases the processing may be required for Compliance with a Legal Obligation |
Staying in Control of Your Information: Your Rights
If the GDPR applies to you, you have certain rights in relation to your Personal Data:
- The right to be informed – our obligation to inform you that we process your personal data (and that’s what we’re doing in this Privacy Policy);
- The right of access – your right to request a copy of the personal data we hold about you (also known as a ‘data subject access request’);
- The right to rectification – your right to request that we correct personal data about you if it is incomplete or inaccurate (though we generally recommend first making any changes in your account settings);
- The right to erasure (also known as the ‘right to be forgotten’) – under certain circumstances, you may ask us to delete the personal data we have about you (unless it remains necessary for us to continue processing your personal data for a legitimate business purpose or to comply with a legal obligation as permitted under the GDPR, in which case we will inform you);
- The right to restrict processing – your right, under certain circumstances, to ask us to suspend our processing of your personal data;
- The right to data portability – your right to ask us for a copy of your personal data in a common format (for example, a .csv file);
- The right to object – your right to object to us processing your personal data (for example, if you object to us processing your data for direct marketing); and
- Rights in relation to automated decision-making and profiling – our obligation to be transparent about any profiling we do, or any automated decision-making.
These rights are subject to certain rules around when you can exercise them. If you are located in the European Economic Area (EEA), Switzerland, or United Kingdom and wish to exercise any of the rights set out above, please fill out the form here.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights) unless your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request under those circumstances.
We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Please note that if we are unable to reasonably confirm your identity, we will not be able to honor certain requests.
We will respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated as required by law.
In addition, if you no longer wish to receive our marketing/promotional information you may withdraw your consent to direct marketing at any time directly from the unsubscribe link included in each electronic marketing message we send to you. If you do so, we will update our databases, and will take all reasonable steps to meet your request at the earliest possible opportunity, but we may continue to contact you to the extent necessary for the purposes of providing our Services.
Finally, you have the right to make a complaint at any time to the supervisory authority for data protection issues in your country of residence. We would, however, appreciate the chance to address your concerns before you approach the supervisory authority, so please contact us directly first.
If you are a user in the EEA, Switzerland, and UK you may also contact our Data Protection Officer at data-protection-officer@usertesting.com
Updates
Under certain circumstances (for example with certain material changes) we will provide notice to you of these changes and, where required by applicable law, we will obtain your consent. Notice may be by email to you, by posting a notice of such changes on our apps and websites, or by other means consistent with applicable law.
Subprocessors
UserTesting engages the products and services of other vendors. As a step in ensuring GDPR compliance, UserTesting has reviewed and continues to assess vendors for compliance assurances. Customers can login to view current vendors and status here.
Contact Us
If you have questions, comments, or concerns about UserTesting or this GDPR Notice, please email us at: privacy-request@usertesting.com.
USER TESTING INC.
660 4th Street #246 San Francisco CA 94107
Attn: Office of the General Counsel
Last updated: April 11, 2022