Privacy and Data Protection
Learn about GDPR, CCPA, data privacy, and Wistia. Looking for our Data Processing Addendum (DPA)? It's here!
As of May 25, 2018, the EU General Data Protection Regulation (GDPR) became effective, bringing new global data protection rights for citizens of the European Union. Wistia supports the privacy rights of its customers and their users and is currently GDPR-compliant. In addition to our commitment to GDPR, we’re also certified under both the EU-US and Swiss-US Privacy Shield Framework.
On June 28, 2018, the California Consumer Privacy Act (CCPA) was signed into law. Becoming effective on January 1, 2020, the CCPA introduces many of the rights from the GDPR to California residents. Wistia is CCPA-compliant and, as part of our commitment to protecting the privacy of our users, offers the rights created by the CCPA to all users, regardless of whether or not they are residents of California.
Over the coming months, we plan to add additional functionality to our product, player, and APIs to make it easier for you to process Data Subject and Consumer Requests with us.
Wistia offers a Data Processing Addendum (DPA) for customers processing personal data in compliance with the GDPR and CCPA. You can sign and download a copy of our DPA here.
A major part of GDPR and the CCPA is the rights granted to EU residents and California residents in regards to their personal data and information. Under GDPR, a user has the right to access their data (in a commonly-used and machine-readable format), the right to be forgotten (have all of their personal data erased), the right to object to the processing of their data, the right to withdraw their consent to the processing of their data, and the right to know certain information about their data (like the categories of data collected and the recipients or categories of recipients to whom their data has been disclosed), subject to certain conditions.
Similarly, under the CCPA, a user has the right to access their personal information (in a portable and readily usable format), the right to the deletion of their personal information, the right to prohibit businesses from selling their personal information, and the right to know certain information about their data (like the specific pieces of information about the user and the categories of third parties to whom the business has sold or disclosed their personal information), subject to certain conditions.
In the case of Wistia, once a visitor has provided their email address to you via Turnstile, we can show you which of your medias they’ve watched, what parts they watched, and when they watched them. All of this data is available for export and can also be deleted.
You may opt out of Wistia’s disclosure of your Personal Information to Customers by completing the form on our Privacy and Data Requests page. We will act upon any request to opt out of all sales of your Personal Information within 15 days of receiving your request. We will notify all Customers to whom we have disclosed your Personal Information of your request within 90 days of receiving your request and will inform you when we have done so. If you exercise your right to opt out of the disclosure of your Personal Information to Customers, Wistia will cease disclosing your Personal Information to Customers as of the date Wistia receives the form at the link above.
You can use the Visitors API to find and export information about your viewers.
Find: Use the Visitors List endpoint with the “search” parameter to get the visitor key for a given email address. The visitor key is the unique identifier for that session. There may be multiple visitor keys associated with a single email address.
Export: Use the Visitors Show endpoint to export all information for a visitor.
We want to make this process as streamlined as possible for you so can comply with your users' data requests easily from within your account and via our API.
You can access all information Wistia’s collected about an individual from the Audience page within your account.
We plan to make it easy to search by email address to locate an individual. From that individual’s viewer page, you’ll be able to see all their media views and data we’ve collected. We’ll make it easy to export that data in a machine-readable, readily-usable format (JSON) and permanently delete that user and their data.
We are adding an endpoint to our API to let you delete all of a user’s information.
We have created a special mode for our media player that only collects fully anonymized viewing data by disabling session tracking and anonymizing IP addresses of your viewers.
You can turn on Privacy Mode by default for all your medias, and we provide you with a way to programmatically disable Privacy Mode once a visitor has given you their express consent to track them. For instance, if you have a cookie consent banner on your site, when your visitor clicks the opt-in button, you would make a call to our player to enable session tracking.
You can find all the details regarding this in the Player Privacy Mode documentation.
Note Privacy Mode isn’t strictly a necessity for your medias to be GDPR compliant, but it’s a helpful tool in minimizing the data you collect about individual visitors and users.
Under the GDPR, when consent is required, it must be requested in an intelligible and easily accessible form, using clear and plain language. With this in mind, it’s important that if you’re using our Turnstile feature to collect personal data about your viewers, you update the language to be clear about how you’ll be using their email address and provide a link to your terms and conditions.
We recommend allowing viewers to skip your Turnstiles and using this as the lower text. Make sure to update the link with the URL of your terms.
By entering your email address, you agree to receive our marketing emails. Please see <a href="https://your.company.com/terms" target="_blank">our terms and conditions</a> for further information about how your data is used and stored, including how to opt out.
This is how it will appear:
For more information on consent under GDPR, refer to:
Personal data under the GDPR is defined as any information relating to an identified or identifiable person; personal information under the CCPA is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household. As such, media footage containing people or information about them classifies as personal data and personal information. If you get a request to remove an individual or information from a media, you can either delete that media or edit that individual out of the media.
Our Replace Video feature makes it easy to replace that media permanently and immediately in all locations.
If you delete a media in your Wistia account, it will be permanently removed from all of our systems within 30 days.
We recommend including this statement about Wistia in your privacy declaration or policy:
This website uses Wistia (https://wistia.com) to power its medias. Wistia tracks how you interact with the medias on this site: how much of a media you play, at what points in a media you pause or rewind, etc. In some medias, we pause the media and request that you provide your email address or name. You are under no obligation to provide this information, but we reserve the right to limit certain medias to identified users. Wistia aggregates the data collected through the medias here, including names and email addresses, and provides it to us. Other than providing this data to us, Wistia does not sell or provide the data it collects from our medias to third parties. We use this data to [insert the business purpose for the data we provide you from your medias (i.e., how you use the data)].
The last sentence may be deleted if you address the business purpose for this category of data elsewhere in your privacy declaration or policy.
In the event of a data breach involving personal data or personal information (and ones that do not), we will contact you by email. We will also post any incidents to https://status.wistia.com. You can subscribe to updates there as well.
Current as of: April 26, 2018
Consistent with the DPA, this is where we maintain a current list of sub-processors authorized to process customer data for Wistia’s services. Wistia imposes data protection terms with each sub-processor regarding their security controls and applicable regulations for the protection of personal data and personal information.
|Entity Name||Entity Type||Entity Location|
|Amazon Web Services, Inc.||Cloud Service Provider||USA|
|Akamai, Inc.||Content Delivery Network||USA|
|Fastly, Inc.||Content Delivery Network||USA|
|Mux, Inc.||Video Performance Analytics||USA|
|APIHub, Inc. (Clearbit)||Contact Enrichment||USA|
For questions or inquiries related to data privacy, CCPA, and GDPR, please contact us at firstname.lastname@example.org.