On May 25, 2018, the EU General Data Protection Regulation (GDPR) will become effective, bringing new global data protection rights for citizens of the European Union.
Wistia supports the privacy rights of its customers and their users and is currently GDPR-compliant. In addition to our commitment to GDPR, we're also certified under both the EU-US and Swiss-US Privacy Shield Framework.
Over the coming months, we plan to add additional functionality to our product, player, and APIs to make it easier for you to process Data Subject Requests with us.
Wistia offers a Data Processing Addendum (DPA) for customers processing personal data in compliance with the GDPR. You can sign and download a copy of our DPA here.
A major part of GDPR is the rights granted to EU residents in regards to their personal data. Under GDPR, a user has the right to access their data (in a commonly-used and machine-readable format) and the right to be forgotten (have all of their personal data erased), subject to certain conditions.
In the case of Wistia, once a visitor has provided their email address to you via Turnstile, we can show you which of your videos they've watched, what parts they watched, and when they watched them. All of this data is available for export and can also be deleted.
We're happy to serve any Data Subject requests and are committed to doing so within 30 days upon receipt of your request, per the terms in the DPA. Email us at firstname.lastname@example.org with your user's email address and instructions.
You can use the Visitors API to find and export information about your viewers.
Find: Use the Visitors List endpoint with the “search” parameter to get the visitor key for a given email address. The visitor key is the unique identifier for that session. There may be multiple visitor keys associated with a single email address.
Export: Use the Visitors Show endpoint to export all information for a visitor.
We want to make this process as streamlined as possible for you so can comply with your users' data requests easily from within your account and via our API.
You can access all information Wistia's collected about an individual from the Audience page within your account.
We plan to make it easy to search by email address to locate an individual. From that individual's viewer page, you'll be able to see all their video views and data we've collected. We'll make it easy to export that data in a machine-readable format (JSON) and permanently delete that user and their data.
We are adding an endpoint to our API to let you delete all of a user's information.
We have created a special mode for our video player that only collects fully anonymized viewing data by disabling session and cookie tracking and anonymizing IP addresses of your viewers.
You can turn on Privacy Mode by default for all your videos, and we provide you with a way to programmatically disable Privacy Mode once a visitor has given you their express consent to track them. For instance, if you have a cookie consent banner on your site, when your visitor clicks the opt-in button, you would make a call to our player to enable session tracking.
You can find all the details regarding this in the Player Privacy Mode documentation.
Note Privacy Mode isn't strictly a necessity for your videos to be GDPR compliant, but it's a helpful tool in minimizing the data you collect about individual visitors and users.
Under the GDPR, when consent is required, it must be requested in an intelligible and easily accessible form, using clear and plain language. With this in mind, it's important that if you're using our Turnstile feature to collect personal data about your viewers, you update the language to be clear about how you'll be using their email address and provide a link to your terms and conditions.
We recommend allowing viewers to skip your Turnstiles and using this as the lower text. Make sure to update the link with the URL of your terms.
By entering your email address, you agree to receive our marketing emails. Please see <a href="https://your.company.com/terms" target="_blank">our terms and conditions</a> for further information about how your data is used and stored, including how to opt out.
This is how it will appear:
For more information on consent under GDPR, refer to:
Personal data is defined as any information relating to an identified or identifiable person. As such, video footage containing people or information about them classifies as personal data. If you get a request to remove an individual or information from a video, you can either delete that video or edit that individual out of the video.
Our Replace Video feature makes it easy to replace that video permanently and immediately in all locations.
If you delete a video in your Wistia account, it will be permanently removed from all of our systems within 30 days.
We recommend including this statement about Wistia in your privacy declaration or policy:
This website uses Wistia (https://wistia.com) to power its videos. Wistia tracks how you interact with the videos on this site: how much of a video you watch, at what points in a video you pause or rewind, etc. In some videos, we pause the video and request that you provide your email address or name. You are under no obligation to provide this information, but we reserve the right to limit certain videos to identified users. Wistia aggregates the data collected through the videos here, including names and email addresses, and provides it to us. Wistia does not sell or provide the data it collects to third parties.
In the event of a data breach involving personal data (and ones that do not), we will contact you by email. We will also post any incidents to https://status.wistia.com. You can subscribe to updates there as well.
Current as of: April 26, 2018
Consistent with the DPA, this is where we maintain a current list of sub-processors authorized to process customer data for Wistia's services. Wistia imposes data protection terms with each sub-processor regarding their security controls and applicable regulations for the protection of personal data.
|Entity Name||Entity Type||Entity Location|
|Amazon Web Services, Inc.||Cloud Service Provider||USA|
|Akamai, Inc.||Content Delivery Network||USA|
|Fastly, Inc.||Content Delivery Network||USA|
|Mux, Inc.||Video Performance Analytics||USA|
|APIHub, Inc. (Clearbit)||Contact Enrichment||USA|
For questions or inquiries related to data privacy and GDPR, please contact us at email@example.com.