GDPR & Data Privacy

Learn about GDPR, data privacy, and Wistia. Looking for our Data Processing Addendum (DPA)? It's here!

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will become effective, bringing new global data protection rights for citizens of the European Union.

Wistia supports the privacy rights of its customers and their users and is currently GDPR-compliant. In addition to our commitment to GDPR, we’re also certified under both the EU-US and Swiss-US Privacy Shield Framework.

Over the coming months, we plan to add additional functionality to our product, player, and APIs to make it easier for you to process Data Subject Requests with us.

Data Processing Addendum

Wistia offers a Data Processing Addendum (DPA) for customers processing personal data in compliance with the GDPR. You can sign and download a copy of our DPA here.

Data Subject Rights

A major part of GDPR is the rights granted to EU residents in regards to their personal data. Under GDPR, a user has the right to access their data (in a commonly-used and machine-readable format) and the right to be forgotten (have all of their personal data erased), subject to certain conditions.

In the case of Wistia, once a visitor has provided their email address to you via Turnstile, we can show you which of your videos they’ve watched, what parts they watched, and when they watched them. All of this data is available for export and can also be deleted.

Available Now

We’re happy to serve any Data Subject requests and are committed to doing so within 30 days upon receipt of your request, per the terms in the DPA. Email us at privacy@wistia.com with your user’s email address and instructions.

Via the API

You can use the Visitors API to find and export information about your viewers.

  • Find: Use the Visitors List endpoint with the “search” parameter to get the visitor key for a given email address. The visitor key is the unique identifier for that session. There may be multiple visitor keys associated with a single email address.

  • Export: Use the Visitors Show endpoint to export all information for a visitor.

What we’re working on

We want to make this process as streamlined as possible for you so can comply with your users' data requests easily from within your account and via our API.

From your account

You can access all information Wistia’s collected about an individual from the Audience page within your account.

We plan to make it easy to search by email address to locate an individual. From that individual’s viewer page, you’ll be able to see all their video views and data we’ve collected. We’ll make it easy to export that data in a machine-readable format (JSON) and permanently delete that user and their data.

Via the API

We are adding an endpoint to our API to let you delete all of a user’s information.

Cookies

Our video player sets two cookies, one to track visitors on your website (so you can tie multiple video views to a single device session) and one that we use to track video playback performance so we can improve our service.

Cookie NamePurpose
__distilleryWe use this to identify a visitor on your site, so that we can show you which videos they’ve watched across different pages.
muxDataThis cookie is set by Mux, a service we use to analyze video playback performance across all customers.

If you’d like us not to set these cookies and only track visitors in a fully anonymized fashion, you can use our player’s Privacy Mode.

Privacy Mode for our Video Player

We have created a special mode for our video player that only collects fully anonymized viewing data by disabling session and cookie tracking and anonymizing IP addresses of your viewers.

You can turn on Privacy Mode by default for all your videos, and we provide you with a way to programmatically disable Privacy Mode once a visitor has given you their express consent to track them. For instance, if you have a cookie consent banner on your site, when your visitor clicks the opt-in button, you would make a call to our player to enable session tracking.

You can find all the details regarding this in the Player Privacy Mode documentation.

Note Privacy Mode isn’t strictly a necessity for your videos to be GDPR compliant, but it’s a helpful tool in minimizing the data you collect about individual visitors and users.

Video Footage as Personal Data

Personal data is defined as any information relating to an identified or identifiable person. As such, video footage containing people or information about them classifies as personal data. If you get a request to remove an individual or information from a video, you can either delete that video or edit that individual out of the video.

Our Replace Video feature makes it easy to replace that video permanently and immediately in all locations.

If you delete a video in your Wistia account, it will be permanently removed from all of our systems within 30 days.

Privacy Declaration

We recommend including this statement about Wistia in your privacy declaration or policy:

This website uses Wistia (https://wistia.com) to power its videos. Wistia tracks how you interact with the videos on this site: how much of a video you watch, at what points in a video you pause or rewind, etc. In some videos, we pause the video and request that you provide your email address or name. You are under no obligation to provide this information, but we reserve the right to limit certain videos to identified users. Wistia aggregates the data collected through the videos here, including names and email addresses, and provides it to us. Wistia does not sell or provide the data it collects to third parties.

Breach Notification

In the event of a data breach involving personal data (and ones that do not), we will contact you by email. We will also post any incidents to https://status.wistia.com. You can subscribe to updates there as well.

List of Data Sub-processors

Current as of: April 26, 2018

Consistent with the DPA, this is where we maintain a current list of sub-processors authorized to process customer data for Wistia’s services. Wistia imposes data protection terms with each sub-processor regarding their security controls and applicable regulations for the protection of personal data.

Entity NameEntity TypeEntity Location
Amazon Web Services, Inc.Cloud Service ProviderUSA
Akamai, Inc.Content Delivery NetworkUSA
Fastly, Inc.Content Delivery NetworkUSA
Mux, Inc.Video Performance AnalyticsUSA
APIHub, Inc. (Clearbit)Contact EnrichmentUSA

Questions

For questions or inquiries related to data privacy and GDPR, please contact us at privacy@wistia.com.