LAST REVIEWED AND UPDATED: FEBRUARY 18, 2021
Medallia and Customer Data
Types of Information Medallia Collects
Use of Information
Disclosure of Information
Protection of Personal Information
Your Privacy Rights
Transfers of Information
Third Party Websites
Medallia and CCPA/CPRA
1. Medallia and Customer Data
Medallia’s customers are organizations such as businesses, who use our services to help them understand employee and customer experiences. Medallia’s customers may electronically submit data or information for hosting and processing purposes (“Customer Data”). Medallia does not review, share, distribute or reference any such Customer Data except as provided in the customer’s contract, and if applicable, in the Data Processing Agreement (“DPA”) between Medallia and our customer. Medallia may access Customer Data only for the purpose of providing services, preventing or addressing service or technical problems at our customer’s request in connection with customer support matters, or as may be required by law. A copy of our standard Customer DPA is available here. If you have questions about personal data you have entered into a Medallia service used by one of our customers, or if you want to exercise any of your rights regarding your personal data, our customer contract requires that we redirect your inquiry back to that Medallia customer.
Medallia may transfer Customer Data to partners that help us provide our services. Transfers to third parties are covered by the provisions of our customer and partner agreements. To see a list of our Customer Data related subprocessors, please review Annex A of our DPA available here.
Medallia may retain Customer Data collected on behalf of our customers for as long as that customer’s account is active or as needed to provide services, and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes.
For information about email survey invitations or other communications sent by Medallia on behalf of one of our customers, including opt-out and data deletion requests, please visit our opt-out FAQ. For general support inquiries, including problems with survey completion and incorrect survey invitations, please visit our survey support portal.
2. Types of Information Medallia Collects
2.1 Information You Give Us
You may give us information about yourself by using the online forms provided on the website or by contacting us by phone, e-mail or other means. This includes, for example, filling in the “Contact Us” form on the website, applying for a position with Medallia, registering for a webinar or event, providing your information to us in order to receive our services, or when participating in our Operational Customer Experience Management Assessment (“OCEM Assessment”).
The information you give us may include email address, name, mailing address, telephone number, company name, company address, geolocation data, credit card information, job title, account information, chat conversations, video submissions, and any updates to information provided to us.
Please note that we need certain types of information so that we can provide services to you. If you do not provide us with such information, or if you ask us to delete it, you may no longer be able to access our services.
Medallia may collect Personal Information when a candidate submits an application for employment, including personal data contained within a resume or curriculum vitae (including names, contact details, employment and education history), and, when applicable, Equal Employment Opportunity information that may be regarded as sensitive information in some countries (e.g., gender, ethnicity, disability status, veteran status). This Personal Information is collectively referred to as applicant data.
If you are an employee at an organization that uses Medallia, we may collect, store and share your contact info, bio (if applicable), and picture (if applicable). This makes it possible for us to keep track of you and return the correct information to you. We also use this to personalize the surveys and feedback requests we send on your behalf. We do this at the direction of your employer, and their own privacy policies are in effect as well. We also collect and store information about how you use the platform. We use this to determine how best to serve you.
2.2 Information We May Collect About You
We may automatically collect any of the following information each time you visit the website:
- Technical information, including the Internet Protocol (IP) address used to connect to the Internet, domain name and geolocation data, the file(s) requested, browser type, device, and version, browser plug-in types and versions, operating system and platform; and
- Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from the website (including date and time), length of visits to certain pages, page interaction information (such as downloading, scrolling, clicks, and mouse-overs) and methods used to browse away from the page.
Some of the data we collect is anonymous information sent by your browser when you visit our websites, however if/when you identify yourself by filling out a form, some data (such as what pages you view on our websites) will be connected to your personal information.
2.3 Website Feedback Survey and OCEM Assessments
We collect survey information from digital surveys embedded in our website. Medallia can access and use survey feedback you choose to provide to evaluate your impression of and interactions with our website, and to improve your browsing experience. Our survey allows you to provide your name and email address should you be interested in signing up for an event with us, or indicate what brought you to our site, including, for example, recruitment opportunities or product demos. The survey also allows you to take a screenshot of portions of our website that you would like to provide feedback about. This survey collects analytics information such as your IP address and type of web browser or mobile device used in accessing our site. We also allow you to engage with our OCEM Assessment to assess your customer experience preparedness. We collect OCEM Assessment responses to refine our communication with prospective customers. We also use this information to help customers further define their customer experience goals. You may provide additional information within the OCEM Assessment, including, for example, name, email address, employer and title. We use this information to contact you about your OCEM Assessment results and Medallia products and services.
2.4 Information We May Receive From Other Sources
We will receive information about you if:
- You obtain our services through one of our resellers or partners. The types of information that we may receive are the same as the information that you may give to us detailed in section 2.1 above.
- You use any of the other websites we operate or the other services we provide. In this case, we will inform you when we collect that data that it may be shared internally and combined with data collected on the website. We work closely with third parties (including, for example, advertising networks, and analytics and search information providers) and may receive information about you from them. Information collected is used by Medallia to determine your company’s interest in Medallia’s products and services. You may opt out of these communications at any time by clicking the “unsubscribe” link in the email correspondence.
- You apply for a position with Medallia.
In some instances, Medallia engages with third party sources to obtain additional information about you. For example, Medallia collects contact information from professional network intelligence companies or industry event providers. Information collected by professional network intelligence companies is publicly available and used by Medallia’s talent acquisition team to determine your interest in employment with Medallia.
2.5 No Minor Data Collection Intended
Medallia’s website and recruiting efforts are directed to people who are at least 16 years of age or older. In the event that we have inadvertently collected data of an individual who is younger than 16, we will remove this data from our system within a reasonable time period. To make such a request, please contact us here.
3. Use of Information
We, or third-party data processors acting on our behalf, collect, use and store the Personal Information listed above. We will use your Personal Information in order to deliver your contracted services, in order to comply with applicable laws, where we have obtained your consent, or where it is in the legitimate interests of Medallia to handle your Personal Information. More specifically, we collect, use and store your Personal Information for the following reasons:
- To register you for webinars/seminars/conferences.
- To inform you about Customer Experience Management certification courses.
- To assign a password.
- To ensure that content from the website and services is presented in the most efficient manner for you.
- To provide you with information, products or services that you request from us or which we feel may interest you.
- To carry out our obligations arising from any contracts entered into between you and us.
- To allow you to participate in interactive features (e.g., live chat) when you choose to do so.
- To notify you about changes to our products or services and to keep you informed about our fees and charges.
- To improve the quality and accuracy of the services.
- To allow you to access and use the website and to register for an account.
- To carry out activities in the legitimate interests of Medallia, for example, pursuing debt or ensuring the security of our services and the website.
- To carry out statistical analysis and market research.
- For marketing, advertising and promotional purposes.
- For the purposes of improving and maintaining the website, preparing reports or compiling statistics in order to improve our services. Such details will be anonymized as much as reasonably possible, and you will not be identifiable from the data collected.
- For the recruiting and hiring process, including providing you with information about Medallia career opportunities.
- To process applications for employment, assist with the interview experience and, in some cases, supplement the employment onboarding process.
- Medallia may use aggregate applicant data to track its diversity and inclusion efforts to meet its applicable legal requirements.
- To take other action you request when you supply the Personal Information.
4. Data Retention
We retain Personal Information for as long as you use the services we provide, as long as needed to carry out our legitimate business interests, and then as required to comply with applicable laws. For information about specific retention periods, please contact us here.
5. Disclosure of Information
5.1 Medallia Group Companies
Medallia may share your Personal Information with any Medallia Group Company, a group that consists of Medallia’s subsidiaries and affiliated entities worldwide.
5.2 Categories of Third Parties
- Our service providers and subcontractors including, but not limited to, payment processors, suppliers of technical and support services and cloud service providers;
- Companies that assist us in our marketing, advertising and promotional activities;
- Companies that assist in our recruiting and hiring activities;
- Analytics and search engine providers that assist us in the improvement and optimization of the website; and
- Systems integrators and service providers who resell our products and services.
Service providers that are provided access to Personal Information are evaluated by our vendor risk management program and agree to appropriate security and privacy safeguards when accessing or storing our Personal Information. Service providers are required to enter into Data Processing Agreements with Medallia.
5.3 Other Third Party Disclosures
We will also disclose your Personal Information to third parties:
- In the event we sell or buy any business or assets, in which case we may disclose your Personal Information to the prospective seller or buyer of such business or asset;
- If Medallia, or substantially all of its assets, is acquired by a third party, in which case information held by it about its customers and partners will be one of the transferred assets;
- If Medallia is under a duty to disclose or share your Personal Information in order to comply with any legal obligation or any lawful request from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity; or
- In order to enforce or apply Medallia’s terms and conditions or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity.
6. Protection of Personal Information
Medallia is committed to taking steps to protect Personal Information you provide to us, including administrative, technical and physical measures to safeguard Personal Information against loss, theft, misuse, unauthorized access, disclosure, alteration and destruction. For more details on Medallia’s security measures Medallia, please visit Trust at Medallia.
7. Your Privacy Rights
7.1 Data Subject Requests
Subject to the conditions set forth under applicable law, you have the right to request to access, review, correct, update, suppress, restrict or delete Personal Information that you have provided to us. You have the right to request an electronic copy of Personal Information for purposes of transmitting it to another company. You have the right to ask us to not process your Personal Information for marketing purposes. You have the right to not be subject to a significant decision based solely on automated processing, including profiling. You may submit such requests by contacting us here. We will respond to your request in accordance with applicable law. In your request, you must advise what Personal Information you would like to access, review, correct, update, suppress, restrict or delete; or otherwise let us know what limitations you would like to put on our use of your Personal Information. We may need to verify your identity before completing your rights request by, for example, verifying your ownership of the relevant email account. If you are an authorized agent wishing to exercise rights on behalf of a California consumer, please contact us using the same link above.
Please note that we may need to retain certain Personal Information for recordkeeping purposes and/or to complete transactions that you began prior to requesting a change or deletion. In the event your Personal Information is processed on the basis of your consent, you may withdraw consent at any time by contacting us here and specifying the details of your request. However, any withdrawal of consent will not affect the lawfulness of any processing based on consent before it is withdrawn.
7.2 Exercising Opt-Out Preferences
If you have previously given us consent to use your Personal Information for marketing purposes and you now wish to withdraw your consent, you may opt out from receiving marketing communications (a) by clicking the “unsubscribe” link at the bottom of our communication with you; or (b) by contacting us here. Please note that opting out may prevent us from providing you with our services or information requested by you.
If you would like to opt out of Customer surveys, please directly contact the Customer you wish to unsubscribe from.
8. Transfers of Information
Data may be processed by Medallia Group Companies and third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the UK or EEA), Medallia signs data processing agreements with our customers, partners and vendors that have robust privacy and security terms, including, where appropriate (i.e. if you are in the UK or the EEA), the Standard Contractual Clauses (also known as the “EU Model Clauses”).
Your Personal Information may also be processed by staff operating in the United States or outside the EEA or Switzerland that are working for us, other members of our group or third-party data processors. Such staff may be engaged in, among other things, the provision of our services to you, the processing of transactions and/or the provision of support services. By providing us with your Personal Information you acknowledge and agree to any such transfer, storage and processing.
9.1 What Are Cookies and Related Technologies
A cookie is usually a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity.
Cookies were designed to be reliable ways for websites to remember the activity that a user had taken in the past such as indicating their preferences. We and our third-party partners and providers may also use other, related technologies to collect this information, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, “cookies”).
9.2 What We Collect When Using Cookies
9.3 How We Use That Information
Cookies, beacons, tags and scripts are used by Medallia and our partners (e.g., marketing partners), affiliates, or analytics or service providers on our website. We and our marketing partners also use the information we collect through cookies to understand your browsing activities, including across unaffiliated third-party sites, so that we can deliver ads and information about products and services that may be of interest to you. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click here). Please note that when you opt out of receiving interest-based advertisements, this does not mean you will no longer see advertisements from us or on our online services. It means that the online ads that you do see will not be based on your interests.
We use Local Shared Objects (LSOs) to store content information and preferences. Third parties with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity use LSOs such as provided by HTML5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.
9.4 Your Choices About Cookies
If you would prefer not to accept cookies, most browsers will allow you to: (i) change your browser settings to notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies. Please note that doing so may negatively impact your experience using our online services, as some features and services on our online services may not work properly. Depending on your device and operating system, you may not be able to delete or block all cookies. In addition, if you want to reject cookies across all your browsers and devices, you will need to do so on each browser on each device you actively use. You may also set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our email and performed certain functions with it.
Some Medallia products use Google Analytics for purposes of improving product performance. For more information on Google Analytics, and how it collects and processes data visit the site “How Google Uses Information From Sites or Apps that Use our Services,” located at https://policies.google.com/technologies/partner-sites.
9.5 Your Choices About Online Ads
We support the self-regulatory principles for online behavioral advertising (Principles) published by the Digital Advertising Alliance (DAA). This means that we allow you to exercise choice regarding the collection of information about your online activities over time and across third-party websites for online interest-based advertising purposes. More information about these Principles can be found at www.aboutads.info. If you want to opt out of receiving online interest-based advertisements on your internet browser from advertisers and third parties that participate in the DAA program and perform advertising-related services for us and our partners, please follow the instructions at www.aboutads.info/choices, or http://www.networkadvertising.org/choices/ to place an opt-out cookie on your device indicating that you do not want to receive interest-based advertisements. Opt-out cookies only work on the internet browser and device they are downloaded onto. If you want to opt out of interest-based advertisements across all your browsers and devices, you will need to opt out on each browser on each device you actively use. If you delete cookies on your device generally, you will need to opt out again.
If you want to opt out of receiving online interest-based advertisements on mobile apps, please follow the instructions at http://www.aboutads.info/appchoices.
10. Third Party Websites
11. Medallia and CCPA
11.1 California Consumer Privacy Act (CCPA) Activities
In this section, “business,” “business purpose,” “consumer,” “commercial purpose,” “personal information,” “sale” or “selling,” and “service provider” refer to the definitions in the CCPA.
Medallia has two areas of activity that are related to the CCPA:
- First, Medallia collects data from consumers in the course of providing Medallia products and services to its clients. In this activity, Medallia acts strictly as a “service provider” to our clients under the CCPA, and our clients are “businesses”. In the Medallia products and services, Medallia collects customer data based on our clients’ instructions. For example, our clients specify what consumers we should contact to provide feedback, when we should contact them (e.g., after completing a purchase at a client’s retail store), how we should contact them (e.g., email or SMS), how often we should send them reminders to provide a response, and what questions are asked. Medallia’s clients also decide how to use or respond to feedback that is collected.
- Second, Medallia collects data from consumers in the course of its marketing and recruiting efforts. This includes information we collect voluntarily from forms on our website and event registrations, information we collect automatically when you visit our website, apply for a position, and information we obtain from third party sources. In this activity, Medallia acts as a “business” under the CCPA.
11.2 Handling Personal Information Under CCPA
Regardless of which area of activity applies to you, Medallia does not sell your personal information.
Further, when we provide the Medallia products and services to our clients, we do not:
- process personal information for any commercial purpose other than providing our clients the products and services they have purchased; or
- retain, use or disclose personal information outside of the scope of the agreements we have with our clients.
11.3 Personal Information Collected and Disclosures for Business Purposes
The CCPA requires that we disclose the categories of personal information we collect about consumers, and the categories of personal information we disclose for a business purpose.
The chart below details where you find information about the categories of personal information that Medallia has collected in the previous 12 months for each activity related to the CCPA.
|Activity||Where you can find information|
|Providing the Medallia products and services to Medallia clients as a “service provider”||The categories of personal information Medallia collects about consumers vary depending on our clients’ implementation and use of our software. For a generalized description of these categories, please see the Medallia Customer DPA located here.
Our clients’ privacy policies are commonly located in the Medallia survey invitation email (for web-based surveys) or on the client’s web site or mobile application (for in-the-moment surveys).
The chart below details where you can find information about the categories of information we disclose for a business purpose in the previous 12 months.
|Activity||Where you can find information|
|Providing the Medallia products and services to Medallia clients as a “service provider”||The categories of personal information Medallia discloses for a business purpose vary depending on the features of our software our clients use, and the servicing and support they have purchased. For a generalized description of these disclosures, please see the Medallia Customer DPA located here.
Our clients’ privacy policies are commonly located in the Medallia survey invitation email (for web-based surveys) or on the client’s web site or mobile application (for in-the-moment surveys).
11.4 Consumer Rights Under the CCPA
Your rights under the CCPA include the right to request a copy of the specific personal information collected about you in the 12 months prior to the request, and a business’s data collection practices (including categories of information collected, how information is used, and who it is disclosed to). We will generally refer to these as “access requests”.
In addition, with some exceptions, you can request deletion of the personal information that is collected about you. We will generally refer to these as “deletion requests”.
You have a right not to receive discriminatory treatment for exercising their CCPA rights.
With respect to personal data of consumers collected in Medallia products and services, Medallia’s clients are responsible for fulfilling access and deletion requests. Medallia supports these requests by offering our clients product features, processes and assistance in exporting personal information about individuals. These product features and processes complete the data deletion within 30 days of receiving the request from our client.
With respect to the personal data of consumers collected in Medallia’s marketing and recruiting efforts, we are responsible for fulfilling access and deletion requests.
The chart below details how you can exercise your rights under the CCPA.
|Activity||How to exercise your access and deletion rights|
|Providing the Medallia products and services to Medallia clients as a “service provider”||Please contact the Medallia client identified in the communication you received.
|Carrying out Medallia’s marketing and recruiting efforts as a “business”||Please submit a request to our Marketing team here.
In the request, please be as specific as possible in relation to the personal information you wish to access or delete. Once we receive the request, we will review it, and process the request accordingly. If we need additional information to verify your identity, we will let you know.
Any identifying information in such requests will be used solely for verification, and to communicate with you. We will respond to the request within 45 days of receipt, or notify you if we require additional time.
13. Contact Us
575 Market Street, Suite 1850
San Francisco, CA 94105
Attn: Data Protection Officer