Recommandation: Enable European data residency to keep client data within regional boundaries. With Qualtrics you can store data solely in european data centers for months, ensuring emails and responses reside in EU infrastructure. This supports your intellectual property protections, meets privacy obligations, and provides a clear resolution for data handling across mobile devices and websites.
Data minimization and consent: capture consent at the point of collection, store only what you need, and set retention to months that fit your risk profile. Over time, adjust retention windows based on audit findings. Ensure your policies are relevant and reflected in the UI. Use transactions logs to verify access and detect invisible access attempts across mobile and websites.
Security controls: enforce TLS 1.2+ in transit, encryption at rest, and role-based access control. Schedule monthly reviews of access rights and privacy controls for your team. Maintain emails data separation and ensure audit trails cover data exports and potential disclosures in transactions.
Policy updates and rights: when the policy changes, you will receive emails describing what is new. Provide customers with a way to exercise rights and export data. Ensure the changes remain relevant to your processes and update your websites and mobile experiences accordingly.
Implementation checklist: enable EU data residency; set data retention months; enable consent collection; enable encryption and access controls; enable monitoring and alerting for unusual activity; generate monthly reports on data access. By following these steps you reduce risk and build trust across transactions.
What Data Qualtrics Collects and Why
If you wish to limit what Qualtrics collects, customize your data settings now and proceed with targeted controls on the page you interact with.
What data Qualtrics collects
Qualtrics collects the name you provide and the answers you submit, with time stamps for each response. It logs page views, time on page, and related actions, and it records data from devices and cookie data to tailor experiences. Billing information may appear on invoices, and the data form a dataset used to operate your account and generate insights. The system stores this information to support access, reporting, and customer service, with a clear trail of activities tied to your name and page visits.
Why Qualtrics collects data
Qualtrics collects data to learn how people engage with surveys, to operate the service, and to deliver timely responses. There is a process that flags a potential violation and logs related data when anomalies occur. Data are shared with and received by partners who provide analytics, hosting, and support. Transfers may move data to servers in Utah and European facilities to meet regional requirements; access is limited to personnel with a legitimate and reasonable need. The goal is to detect violations, protect user accounts, and keep your data safe, while enabling you to review and manage the data you knowingly provide. If you wish, you can opt out of nonessential processing and still use core features.
To optimize control, customize cookie settings on the page and opt out of nonessential data sharing with partners. For example, remove nonessential data from forms and schedule removal of old entries after a defined time. If you need data removed, submit a request; you can choose to remove specific items or clear datasets, and Qualtrics will confirm when the data are removed.
Where Data Is Stored, Transferred, and Protected
Store data exclusively in regional data centers operated by authorized providers that meet our security framework and applicable laws. Encryption technologies designed to protect data at rest and in transit deploy AES-256 for storage and TLS 1.2+ for network traffic, with keys managed through a dedicated key-management service. Access controls enforce least privilege, and every access is logged and reviewed regularly.
Provided roles determine access to identifiers and personal information; only staff and contractors with a documented need can view data. For students and organizations, this means support teams access de-identified or aggregated datasets and researchers work with anonymized identifiers wherever possible. Please keep to the minimum necessary data and avoid excessive collection; feedback is collected through approved channels and used to improve safeguards, not to target individuals.
Data Residency and Security Controls
Data remains under the jurisdiction of the policy and resides in data centers aligned with the framework. There, visit the official policy portal to see data-location maps and cross-border transfer rules. We require formal reviews of any third-party provider and maintain contractual protections covering confidentiality, breach notification, and data-retention terms.
Cross-Border Transfers, Access, and Dispute Resolution
When data crosses borders, we rely on recognized mechanisms such as standard contractual clauses or equivalent safeguards. Transfers are limited to what is necessary to provide the platform and services, avoiding excessive exposure. Access to data is restricted to targeted teams for defined purposes; identifiers may be replaced with pseudonyms in shared datasets. We monitor attempts of accessing data to identify unusual patterns and maintain audit trails to support review processes. Customization options let you adjust privacy settings across official platforms. We do not sell data; this policy ensures transparency about data usage and provides feedback channels to users.
In case of disputes, parties may seek resolution through the court in the relevant jurisdiction or via agreed arbitration. We respond to lawful access requests promptly and suspend processing when required by law or court order. The dispute process remains accessible through official channels, and updates are posted on the platforms to keep users informed.
Cross-Site Data Sharing: Third-Party and Other Services
Always require the name and an additional data-sharing addendum from any third-party service before transferring data; obtain explicit written consent and limit the scope to what is strictly necessary for your program and customers.
What we share and with whom
We read contracts with named companies to ensure applicable privacy controls. We share minimal data with these companies, only what's needed to support the program and to operate the system. Data may include identifiers, activity logs, and non-sensitive recordings where applicable; we avoid transfer of excessive data and prevent interest-based profiling. We verify the company's design, security measures, and read-only access for our team, and we ensure cookies are used only for legitimate purposes. We require the name of the partner and the program it supports, and we confirm backup procedures. Processing occurs on secured computer systems, and data may travel across the internet to reach processors. For child data, we apply heightened safeguards and only process with parental consent where allowed by law. In utah, we align with state standards when applicable.
Controls, standards, and customer rights
We maintain a standard policy across all vendors. Each program must implement strong access control, audit logs, and clear data-handling responsibilities. We monitor data flows to prevent excessive exposure and ensure that their handling remains within the defined scope. Customers can read, export, delete, or restrict their data and opt out of cross-site data sharing. Our backup copies are encrypted and stored under our control, whether in the cloud or on-premises, with retention aligned to applicable requirements. We handle government requests through formal channels and document every demand. Also, we provide a simple interface to disable cross-site cookies and manage consents. We identify every company by name in the data processing agreement, and we keep records of processing activities for customers to read.
| Vendor | Data Shared | Purpose | Retention | Controls |
|---|---|---|---|---|
| Vendor A (name) | Identifiers, activity logs, cookies | Service operation and reliability | 12 months | Access controls, DPA |
| Vendor B (name) | Recordings (where applicable), backup copies | Support and analytics | 6–24 months | Encryption at rest, audit trails |
User Rights: Access, Correction, and Deletion Requests
Engage by submitting an Access request via the secure privacy portal or by contacting our privacy team. To speed processing, include your full name, the email associated with your account, and a concise description of the data you want to review, such as session history, identifiers, or analytics records.
We maintain a live inventory of personal data and processing activities to support your rights; after submission, we report on each item linked to your identity and the processing steps we operate.
Access: we provide a portable copy of the data we maintain that relates to your account, including identifiers, contact details, and data logs, using session data. Data is delivered in CSV or JSON format; we redact elements necessary to protect others' privacy or security.
Correction: if you find inaccuracies, submit a Correction request with the exact field and value; we verify against internal sources, apply changes in the primary store, and issue a revised copy along with a short summary of adjustments.
Deletion: you may request removal of personal data from active processing; we assess legal obligations and business needs. If deletion is feasible, we remove from primary systems and anonymize backups; if not, we provide a clear rationale and offer de-identification or restriction where possible.
Timeline and response expectations: we acknowledge requests within a few days and provide a final decision within 15 days for straightforward cases; for complex records, we extend once by up to 15 days with a documented reason. You will receive a report detailing actions taken.
Security and accountability: we operate with secure transmission and role-based access; internal audits log actions to manage risk. If you have concerns or suspect a violation, contact us immediately and we will engage with you to address the issue. We welcome questions and feedback throughout the process to improve safeguards.
Utilisation des données à des fins de recherche et d'amélioration : les données peuvent être utilisées pour améliorer les produits et services sous des contrôles stricts ; les données personnelles ne sont pas partagées avec des groupes externes sans consentement. Vous pouvez demander des informations sur le traitement lié à la recherche dans le cadre de vos droits, et vos commentaires contribuent à affiner les pratiques de gestion des risques et de confidentialité.
Notification de violation de données : Délais et recours pour les clients
Commencez par un plan d'action concret : dans les 24 heures suivant la découverte d'une violation affectant des données personnelles, activez l'équipe de réponse aux incidents et sécurisez les systèmes concernés au nom de l'entreprise. Au Minnesota, respectez les lois de notification des violations de l'État ; informez les personnes sans délai indu. Préparez les communications à l'aide d'un modèle prêt à l'emploi, et configurez une ligne d'assistance et une adresse e-mail dédiées aux questions des clients. Assurez-vous que le langage est clair, que les éléments de données impliqués sont décrits et que les mesures que les clients doivent prendre pour se protéger sont mises en avant. Alignez ceci sur les paramètres internes et les obligations des fournisseurs, y compris les processeurs tiers.
Timelines
- Découverte et confinement : dans les 24 heures, isoler les systèmes affectés et conserver les sources associées ; documenter ce qui s'est passé et quelles données ont été affectées.
- Évaluation des risques et projet de notification : dans les 24 à 48 heures, déterminer les types de données, les destinataires et le niveau de risque ; préparer les avis aux clients et aux organismes de réglementation en utilisant le modèle.
- Notification aux clients : dans les 72 heures pour les violations à haut risque ; sinon, notifier dès que possible, mais au plus tard dans le délai légalement requis ; inclure ce qui s'est passé, les catégories de données, les actions pour les clients et les options de contact.
- Coordination gouvernementale et avec les fournisseurs : notifier les autorités gouvernementales lorsque cela est requis par les lois ou règlements ; coordonner avec les fournisseurs tiers et les sociétés affiliées internationales si des données ont traversé les frontières.
- Mises à jour post-avis : fournir des mises à jour continues si de nouvelles informations apparaissent ou si la portée de la violation s'étend.
Recours du client
- Surveillance de crédit et protection de l’identité : offrir 12 mois de surveillance gratuite, des alertes de fraude et des services de restauration d’identité aux personnes touchées.
- Soutien financier : rembourser les dépenses raisonnables liées à la violation, telles que les blocages de crédit ou la protection spécialisée contre le vol d'identité, et fournir une documentation claire pour les demandes.
- Accès aux étapes de conseils et de protection : fournir une liste de contrôle des paramètres de sécurité et un canal de support direct pour les questions ; inclure les étapes permettant de réinitialiser les mots de passe et d'activer l'authentification à deux facteurs.
- Notifications sur plusieurs canaux : utilisez l'e-mail, les SMS et un portail sécurisé afin que les clients puissent examiner les détails et agir rapidement ; fournissez un point de contact pour les questions.
- Gestion transfrontalière et des fournisseurs : en cas de violations impliquant le traitement de données international, coordonner avec les entités connexes et s'assurer que les fournisseurs tiers respectent les mêmes normes de notification ; partager les sources et les bonnes pratiques avec les parties prenantes.
- Remèdes aux risques inter-fournisseurs : si les données ont été traitées par des fournisseurs tels que Google ou d'autres services cloud, confirmez les actions de remédiation et mettez à jour les paramètres et préférences de gestion des données.
- Transparence et éducation : publier un résumé concis des incidents et fournir l'accès à des recherches ou des conseils provenant de sources indépendantes, et offrir une mise à jour mensuelle sur la confidentialité aux clients intéressés.
