Privacy and Data Protection

Learn about GDPR, CCPA, data privacy, and Wistia. Looking for our Data Processing Addendum (DPA)? It's here!

As of May 25, 2018, the EU General Data Protection Regulation (GDPR) became effective, bringing new global data protection rights for citizens of the European Union. Wistia supports the privacy rights of its customers and their users and is currently GDPR-compliant. In addition to our commitment to GDPR, we’re also certified under both the EU-US and Swiss-US Privacy Shield Framework.

On June 28, 2018, the California Consumer Privacy Act (CCPA) was signed into law. Becoming effective on January 1, 2020, the CCPA introduces many of the rights from the GDPR to California residents. Wistia is CCPA-compliant and, as part of our commitment to protecting the privacy of our users, offers the rights created by the CCPA to all users, regardless of whether or not they are residents of California.

Over the coming months, we plan to add additional functionality to our product, player, and APIs to make it easier for you to process Data Subject and Consumer Requests with us.

Data Processing Addendum

Wistia offers a Data Processing Addendum (DPA) for customers processing personal data in compliance with the GDPR and CCPA. Please reach out to your Wistia account executive to get a copy.

Data Subject and Consumer Rights

A major part of GDPR and the CCPA is the rights granted to EU residents and California residents in regards to their personal data and information. Under GDPR, a user has the right to access their data (in a commonly-used and machine-readable format), the right to be forgotten (have all of their personal data erased), the right to object to the processing of their data, the right to withdraw their consent to the processing of their data, and the right to know certain information about their data (like the categories of data collected and the recipients or categories of recipients to whom their data has been disclosed), subject to certain conditions.

Similarly, under the CCPA, a user has the right to access their personal information (in a portable and readily usable format), the right to the deletion of their personal information, the right to prohibit businesses from selling their personal information, and the right to know certain information about their data (like the specific pieces of information about the user and the categories of third parties to whom the business has sold or disclosed their personal information), subject to certain conditions.

In the case of Wistia, once a visitor has provided their email address to you via Turnstile, we can show you which of your medias they’ve watched, what parts they watched, and when they watched them. All of this data is available for export and can also be deleted.

Available Now

You may opt out of Wistia’s disclosure of your Personal Information to Customers by completing the form on our Privacy and Data Requests page. We will act upon any request to opt out of all sales of your Personal Information within 15 days of receiving your request. We will notify all Customers to whom we have disclosed your Personal Information of your request within 90 days of receiving your request and will inform you when we have done so. If you exercise your right to opt out of the disclosure of your Personal Information to Customers, Wistia will cease disclosing your Personal Information to Customers as of the date Wistia receives the form at the link above.

Via the API

You can use the Visitors API to find and export information about your viewers.

  • Find: Use the Visitors List endpoint with the “search” parameter to get the visitor key for a given email address. The visitor key is the unique identifier for that session. There may be multiple visitor keys associated with a single email address.

  • Export: Use the Visitors Show endpoint to export all information for a visitor.

What we’re working on

We want to make this process as streamlined as possible for you so can comply with your users' data requests easily from within your account and via our API.

From your account

You can access all information Wistia’s collected about an individual from the Audience page within your account.

We plan to make it easy to search by email address to locate an individual. From that individual’s viewer page, you’ll be able to see all their media views and data we’ve collected. We’ll make it easy to export that data in a machine-readable, readily-usable format (JSON) and permanently delete that user and their data.

Via the API

We are adding an endpoint to our API to let you delete all of a user’s information.

Cookies

As of January 28, 2020, our media player does not set any cookies.

However, scripts used in the embed code to serve media data or swatch images may set a cookie if the video is part of an A/B Test. This ensures that a user sees the correct media for the duration of the test.

If you do not want A/B Tests to set any cookies, you must enable Privacy Mode in your Account Settings. Please note that disabling cookies for A/B Tests may reduce the accuracy of the viewer seeing the same media of the A/B Test.

Privacy Mode for our Media Player

We have created a special mode for our media player that only collects fully anonymized viewing data by disabling session tracking and anonymizing IP addresses of your viewers.

You can turn on Privacy Mode by default for all your medias, and we provide you with a way to programmatically disable Privacy Mode once a visitor has given you their express consent to track them. For instance, if you have a cookie consent banner on your site, when your visitor clicks the opt-in button, you would make a call to our player to enable session tracking.

You can find all the details regarding this in the Player Privacy Mode documentation.

Note Privacy Mode isn’t strictly a necessity for your medias to be GDPR compliant, but it’s a helpful tool in minimizing the data you collect about individual visitors and users.

Media Footage as Personal Data and Personal Information

Personal data under the GDPR is defined as any information relating to an identified or identifiable person; personal information under the CCPA is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly with a particular consumer or household. As such, media footage containing people or information about them classifies as personal data and personal information. If you get a request to remove an individual or information from a media, you can either delete that media or edit that individual out of the media.

Our Replace Video feature makes it easy to replace that media permanently and immediately in all locations.

If you delete a media in your Wistia account, it will be permanently removed from all of our systems within 30 days.

Privacy Declaration

We recommend including this statement about Wistia in your privacy declaration or policy:

This website uses Wistia (https://wistia.com) to power its medias. Wistia tracks how you interact with the medias on this site: how much of a media you play, at what points in a media you pause or rewind, etc. In some medias, we pause the media and request that you provide your email address or name. You are under no obligation to provide this information, but we reserve the right to limit certain medias to identified users. Wistia aggregates the data collected through the medias here, including names and email addresses, and provides it to us. Other than providing this data to us, Wistia does not sell or provide the data it collects from our medias to third parties. We use this data to [insert the business purpose for the data we provide you from your medias (i.e., how you use the data)].

The last sentence may be deleted if you address the business purpose for this category of data elsewhere in your privacy declaration or policy.

Breach Notification

In the event of a data breach involving personal data or personal information (and ones that do not), we will contact you by email. We will also post any incidents to https://status.wistia.com. You can subscribe to updates there as well.

List of Data Sub-processors

Current as of: October 5, 2023

Consistent with the DPA, this is where we maintain a current list of sub-processors authorized to process customer data for Wistia’s services. Wistia imposes data protection terms with each sub-processor regarding their security controls and applicable regulations for the protection of personal data and personal information.

Entity NameEntity TypeEntity Location
3Play MediaVideo TranscriptionUSA
Amazon Web Services, Inc.Cloud Service ProviderUSA
Akamai, Inc.Content Delivery NetworkUSA
Fastly, Inc.Content Delivery NetworkUSA
Mux, Inc.Video Performance AnalyticsUSA
APIHub, Inc. (Clearbit)Contact EnrichmentUSA
Algolia, Inc.Search EnablementUSA
Upscope, Inc.Customer SupportUSA
Agora, Inc.Live Video SDKUSA
Rev.aiAudio ProcessingUSA
OpenAIArtificial IntelligenceUSA
DeepgramVideo TranscriptionUSA
HubspotMarketing and IntegrationUSA
FivetranBI and AnalyticsUSA

Questions

For questions or inquiries related to data privacy, CCPA, and GDPR, please contact us at privacy@wistia.com.