General Data Protection Regulation (GDPR) is a regulation that requires businesses to protect the personal data and privacy of EU residents. Since GetFeedback has many customers within the EU, we are required to be GDPR compliant.
For certain new customers, GetFeedback offers an EU Data Center. We don't offer data transfers at this time. Contact your account representative to learn more.
Visit our Privacy Notice and Security Statement | SurveyMonkey for more about GDPR compliance.
The EU-US Privacy Shield framework is designed to provide companies with a mechanism to comply with data protection requirements when transferring and storing personal data. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.
Even though the Privacy Shield is no longer a recognized transfer mechanism, GetFeedback still self-certifies to the Privacy Shield Framework in order to demonstrate our continued commitment to privacy protections. Our certification can be found at this link: https://www.privacyshield.gov/participant?id=a2zt0000000Gn7zAAC&status=Active
The General Data Protection Regulation (GDPR) went into effect in 2018 and enhances EU individuals’ privacy rights by placing more responsibility on organizations that collect and process data in the EU.
GDPR regulates the processing of personal data for individuals in the European Union including its collection, storage, transfer, and/or use. GDPR gives individuals more rights and control over their data by regulating how companies handle and store the personal data they collect.
Laws in other parts of the world, including various states in the US, are now following suit with similarly broad regulatory requirements to protect and enhance personal data rights.
Enterprise companies, in particular, need to comply with these changes as the regulations come with increased enforcement and failure to comply can lead to huge fines.
At GetFeedback, we are committed to the security of your data and protecting the privacy of your clients. GetFeedback develops its services using the Privacy by Design philosophy. This means we consider privacy and personal data protection throughout all parts of our product development lifecycle. Our services are designed to limit personal data collection by default where possible, and we aim to give you control over feature enablement where appropriate.
All GetFeedback Digital data, including our customer portal and API, is stored in AWS Region EU (Ireland).
Limited customer data access may occur in other jurisdictions outside the EU (for example, if you receive customer success support from an individual located in one of our other office locations). You can view a full list of sub-processors applicable to all our services. All our employees are trained on data privacy compliance and security matters, and we enter into data processing terms and standard contractual clauses with all our sub-processors, where appropriate.
Where possible, GetFeedback will perform upstream processing activities and analysis on anonymized or pseudonymized data. This means we will, to the extent necessary, exclude or remove any screenshots, IP addresses, email addresses, free-form (text) responses, and any identifiers that link the feedback item to a user’s data before processing it.
If you, as a customer, are processing personal data through the GetFeedback Digital platform, typically you will require a Data Processing Agreement (DPA). We have prepared a standard contract for this purpose, which accurately describes the specific characteristics of our product. If you need a DPA, we strongly urge you to make use of the GetFeedback Digital template, since it’s the most efficient option. The template is available through our Customer Success department.
If you have any questions regarding how GetFeedback handles data privacy, please contact your Customer Success Manager.
The extent to which you will be collecting personal data through our solution depends primarily on how you, as a customer, set up your configuration. The data collected using GetFeedback varies depending on which of our service(s) you use.
Some data will be collected as part of using the service; other data is optional and can be configured in your campaign settings.
Below, you can find an overview of what data is collected by our different services.
When your customers provide feedback through this service, this information will always be collected:
You can configure the service to collect the following information:
When your users provide input through this service, this information will always be collected:
You can configure the service to also collect the following information:
When your users provide input through this service, this information will always be collected:
You can configure the service to also collect the following information:
Custom Variables are supplemental information collected about your customers or platform that can be passed as feedback items through GetFeedback. Custom variables can be provided through JavaScript (websites), through the mobile apps SDK (apps) or via variables in the URL (email).
To ensure that you can make the best and safest decisions on the collection & storage of your data while using GetFeedback Digital, we have created a GDPR Checklist. Regardless if you're an existing or new customer, going over this checklist will make sure that you're ready for the GDPR.
When you collect feedback, this might come with privacy-sensitive data. A good starting point is to consider what information is essential to you too for the processing of your feedback. Keep in mind, it is still ok to collect privacy-sensitive data, as long as you have a valid reason for it and take the necessary measure to ensure privacy regardless of what happens.
At GetFeedback Digital we strongly believe in "Privacy by Design". Privacy by Design is an approach based on the premise that privacy is rooted in the design and operation of IT systems, networked infrastructure, and business practices. With the GDPR coming into effect it's also important for you as a customer of ours to take this approach. Therefore, we have made a couple of changes to our solution to ensure that by default, all settings don't collect privacy-sensitive information.
One of the key changes that we made is that, for newly created buttons, privacy-sensitive information is not collected by default. Privacy-sensitive includes the location data, IP address, and form values in a screenshot. Of course, you have the option to collect this type of data by enabling this in the settings.
For existing Feedback Buttons and forms, the settings remain the same. Do keep in mind that you might want to reconsider if all the data that you currently collect is (still) necessary. In the "Which information does GetFeedback Digital collect?" Support article you'll find an overview of all the data that GetFeedback Digital collects.
To give you full control over the collection of your data please follow the next steps.
Feedback responses are only available to those, who have access to GetFeedback Digital and a connected Feedback button. The account can only be accessed with a unique username or email address and password. Account owners are responsible for keeping both their username and password safe.
GetFeedback will never sell your collected feedback results or share the feedback with third parties, including but not limited to other GetFeedback users.
The privacy settings of your feedback buttons are located in the button drop-down menu. On the privacy settings page, you’ll find the General privacy settings for your button. The options to enable or disable form values, IP addresses, and location data are located here.
When users leave feedback on your website, a screenshot will be generated. Depending on the web page on which the user gave his/her feedback privacy-sensitive data could be captured in the generated screenshot. Disabling the "Save form values" option makes sure that any values filled out in forms present on the webpage are not included in the screenshot. By default, this option is turned off.
A good example of when you would add this is when your website has a sign-up form for people applying for a loan. These kinds of forms often contain privacy-sensitive information. To be on the safe side when it comes to forms on your websites, we recommend disabling the option to make sure that you do not store the values your customers fill in in a form.
TIP! We also offer a masking option that will mask HTML elements, text, or attributes from the screenshot to help you prevent the storage of privacy-sensitive data. More information about this can be found here.
Our feedback and campaign data used to include the location of the person that left the feedback. For new feedback buttons and campaign forms, this is turned off by default. While location data can be very useful to track the mood or NPS for specific regions, you might want to consider if you're using the location data. Location data can be considered personal information when combined with other meta-data. If you don't actively use it may be better to disable this functionality for existing buttons.
Just similar to location data our feedback items and campaign data used to come with an IP address of the person that filled in the form. Consider if it is necessary to collect this data. If not, we recommend disabling the storage of IP-address for existing buttons. The European Court of Justice considers the IP address to be personal information so only collect this data when this is necessary.
TIP! If you need to filter feedback from your employees or colleagues from feedback from customers, try using a Custom Form.
For campaigns created before GDPR, privacy settings remain the same. However, newer campaigns don’t collect IP addresses or location data by default. Keep in mind, campaigns don’t share the settings of the button they’re connected to.
If you prefer to store IP addresses and location data, you’ll need to enable this manually in your campaign’s settings.
The data retention period doesn't cover GetFeedback Direct. Contact help@getfeedback.com if you need help with data in GetFeedback Direct.
The data retention feature allows you to set a retention period for all collected data within GetFeedback Digital. Your data collection settings affect all of your data in GetFeedback Digital but won’t affect data in GetFeedback Direct.
This setting is only available to GetFeedback account administrators.
By default, we retain all of your campaign data in our database, unless you set a retention period.
From your account settings page, select the Security & Privacy tab. Here, you’ll find the option to set your data retention period from 1-36 months. After you’ve configured your data retention settings, data older than your retention limit will be deleted daily, between 01:30 AM and 04:00 AM (UTC).
Setting a data retention period may significantly change the aggregated results of long-running campaigns because older data will be deleted. Please export any important historical data before setting your data retention period. GetFeedback support can’t retrieve deleted data.