Medallia Privacy Policy

Medallia, Inc. is committed to safeguarding the privacy of your personally identifiable information. This statement sets forth Medallia's privacy policy. The policy complies with the privacy principles of TRUSTe, in which Medallia is a member, as well as with the Safe Harbor Program, a framework established by U.S. and European parties for collecting, using, and retaining personally identifiable information from EU countries.

For the purposes of this policy, Medallia defines the term "client" as a business with which Medallia has an established relationship, "customer" as a customer of a Medallia client, and "respondent" as an individual who takes Medallia's surveys independent of Medallia's clients.

This privacy policy covers how Medallia handles personally identifiable information, including personally identifiable information associated with the URLs Medallia.com and guest-survey.net.

Information Medallia Collects

Medallia collects survey and other market research data about individuals' usage of products and services. The data is used by Medallia clients to improve their products and services.

Medallia does not receive, use or collect personally identifiable information, such as names, addresses, phone numbers and e-mail addresses, except under the following circumstances:

When an existing or prospective client goes to www.medallia.com to request a demonstration of a Medallia product, he or she must provide contact details including person-specific information (name, title, phone number and e-mail address) and organization-specific information (name and address). Medallia uses this information solely for the purpose of contacting the interested party and scheduling demonstrations. Medallia does not share any PII collected on its www.medallia.com website with outside parties.

When Medallia surveys customers on behalf of its clients, it receives customers' personally identifiable information from its clients. Medallia enters into confidentiality and non-disclosure agreements with clients that legally obligate Medallia to protect the personally identifiable customer information it receives and use it only for the purposes specified in the contract. From time to time Medallia may collect personally identifiable information during a survey, if requested to do so by a client. This personally identifiable information will be shared with the client, and will be used as described in that survey.

Medallia may, with the written consent of its clients, ask questions of customers for whom it has received personally identifiable information, and bundle and sell those responses in an aggregate form. Before providing any survey results to third parties, responses are stripped of personally identifying or client-identifying information, aggregated, and adjusted using Medallia's proprietary methodologies.

When Medallia surveys respondents on its own behalf, it typically does not collect or have any other access to personally identifying information. If Medallia does request personally identifiable information during a survey, it will use the personally identifiable information as described in that survey. When Medallia provides resulting proprietary research to third parties, it sometimes reveals individual responses, but these do not contain any personally identifying information.

Medallia does not collect or receive sensitive personal information such as: credit card numbers, social security numbers, financial account and transaction information, medical or health information, political opinions, religious or philosophical beliefs, or trade union membership. Medallia does collect demographic information for statistical purposes. Responses to demographic questions are entirely voluntary.

Medallia uses cookies primarily to identify returning users from the same computer and insure the integrity of its research. As part of its basic uses of Internet technology to provide surveys, Medallia also collects technical information such as: respondent IP address; the date and time at which respondents access Medallia's website and respondent HTTP request headers.

Medallia does not use cookies on its www.medallia.com site.

Voluntary Participation

Individuals may choose not to participate in Medallia's research. An opt-out choice is included in each communication to individuals, and those who exercise it will be added to Medallia's opt-out list within ten (10) business days of unsubscribing. Medallia does not send survey invitations to any e-mail address on its opt-out list. Medallia also provides its opt-out list on a timely basis to its clients and third party agents so that they may properly update their records.

Individuals may elect to opt out at any time from receiving email from Medallia and are under no obligation to take surveys sent to them. Individuals who wish to reverse an earlier unsubscribe option may contact Medallia's privacy contact (see contact information below) to change their opt-out status.

Transfer of Personally-Identifiable Information to Third Parties

Medallia is not in the business of selling or renting personally identifiable information gathered in the course of client work to third parties. Medallia shares information with third parties, such as its clients, only as described in this policy or as described at the time information is collected. For example, Medallia may, at the request of a client, ask you for your email address so a client can follow up with you about your responses to a survey. The provision of such information is typically voluntary, and at all times participation in a survey is, of course, voluntary.

From time to time, Medallia may contract third parties to perform functions necessary for its research operations and, under the terms of those contracts, may transfer personally identifiable data to those third parties. Medallia requires such third party agents to enter into non-disclosure and confidentiality agreements that obligate them to maintain the same level of data confidentiality as Medallia and to use the data in no manner other than that specified in the contract.

Access

Customers and respondents may contact Medallia (see Privacy Contact below) at any time if they feel there is an error in their personal information. Because Medallia generally receives and retains personal information as an agent of its clients, it will usually refer individuals reporting inaccuracies in their personally identifying information to the originating source for correction.

Subsequent to verifying the identity of a person making a request, Medallia will respond to a request for offline access to personal information within 30 days of receiving the request.

Security

Medallia takes strict physical, technical and procedural measures to keep information secure by:

Housing data in physically secure facilities that are monitored 24 hours a day, seven days a week
Protecting network from inappropriate access through continuous firewall protection, anti-virus protection, and identification, authentication and authorization procedures
Transmitting certain data securely through secured socket layers (SSLs)
Encrypting certain data
Destroying all media and documents containing personally-identifiable information before disposal
Strictly limiting personally-identifiable information to key personnel and requiring ALL employees and contractors to sign non-disclosure and confidentiality agreements
Using incident detection, response and escalation procedures

Enforcement

Medallia's privacy practices are reviewed and audited regularly by TRUSTe (www.truste.org), an independent, nonprofit organization focused on building users' trust and confidence in the internet by promoting disclosure and informed consent. Through its Watchdog program, TRUSTe provides alternative dispute resolution for privacy-related disputes. Individuals may contact TRUSTe to express any concerns regarding Medallia's privacy practices: http://www.truste.org/consumers/watchdog_complaint.php.

Medallia uses the TRUSTe mark(s) under license from TRUSTe pursuant to the requirements of the TRUSTe program, and all rights in the TRUSTe Mark(s) belong to TRUSTe.

Legal Disclaimer

When requested by legal authorities to disclose personal information, Medallia will inform the court of various factors justifying confidentiality and respondent anonymity. However, Medallia may be required by law to disclose personal information where judicial or other governmental subpoenas, warrants, or orders are properly issued. Individuals' unsubscribe option in no way limits Medallia's use, disclosure or distribution of personally-identifiable information to the extent such use, disclosure or distribution is required by law, court order or other valid legal process.

Children's Privacy

Medallia does not knowingly collect any information from any individual under the age of 13.

Notification of Changes

If we decide to change our privacy policy, we will post these changes to the Medallia website. All changes will be posted to this privacy statement, the homepage, and other places we deem appropriate so that you are aware of what information we collect, how we use it, and under circumstances, if any, we disclose it. The date of last revision will be shown on the website.

We reserve the right to modify this privacy statement at any time, so please review it frequently. If we make material changes to this policy, we will notify you here, by e-mail, or by means of a notice on our home page.

Privacy Contact

If you have any questions or comments about this privacy statement or the practices of this site, please contact Medallia by e-mailing info@medallia.com, faxing (650) 321-3156, calling (650) 321-3000, or writing Amy Pressman, Chief Operating Officer, Medallia, Inc., 1010 El Camino Real, Suite 340, Menlo Park, CA 94025. Medallia responds to non-frivolous privacy-related requests in a timely fashion, not to exceed ten (10) business days.