Privacy Policy

Overview

LAST REVIEWED AND UPDATED: MARCH 17, 2024

Medallia, Inc. recognizes and respects your right to privacy. At Medallia, we want to provide you with information about the collection and use of your personal data. When we collect data, we do so in compliance with this Privacy Policy, which describes how we use and process the data we collect in more detail. This Privacy Policy also describes other important topics relating to information privacy. If you have any questions, please contact us here.

We encourage you to read this Privacy Policy carefully to understand how we handle your Personal Information.

This privacy policy covers the products owned by Medallia or any of its subsidiaries that link to this page. To learn more, click the links below:

Medallia and Customer Data
Types of Information Medallia Collects
Use of Information
Data Retention
Disclosure of Information
Protection of Personal Information
Your Privacy Rights
Transfers of Information
Use of Cookies
Third Party Websites
Medallia and CCPA/CPRA
Changes to Privacy Policy
Contact Us

 

1. Medallia and Customer Data

Medallia’s customers are organizations such as businesses, who use our services to help them understand employee and customer experiences. Medallia’s customers may electronically submit data or information for hosting and processing purposes (“Customer Data”). Medallia does not review, share, distribute or reference any such Customer Data except as provided in the  customer’s contract, and if applicable, in the Data Processing Agreement (“DPA”) between Medallia and our customer. Medallia may access Customer Data only for the purpose of providing services, preventing or addressing service or technical problems at our customer’s request in connection with customer support matters, or as may be required by law.  A copy of our standard Customer DPA is available here. If you have questions about personal data you have entered into a Medallia service used by one of our customers, or if you want to exercise any of your rights regarding your personal data, our customer contract requires that we redirect your inquiry back to that Medallia customer.

Medallia may transfer Customer Data to partners that help us provide our services. Transfers to third parties are covered by the provisions of our customer and partner agreements. To see a list of our Customer Data related subprocessors, please see here.

Medallia may retain Customer Data collected on behalf of our customers for as long as that customer’s account is active or as needed to provide services, and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes.

For information about email survey invitations or other communications sent by Medallia on behalf of one of our customers, including opt-out and data deletion requests, please visit our opt-out FAQ. For general support inquiries, including problems with survey completion and incorrect survey invitations, please visit our survey support portal.

 

2. Types of Information Medallia Collects

When acting as a data controller with respect to website data, visitor data, and applicant data, we may collect and process any of the following information about you, which we refer to as “Personal Information” throughout this Privacy Policy:

2.1 Information You Give Us

You may give us information about yourself by using the online forms provided on the website or by contacting us by phone, e-mail or other means. This includes, for example, filling in the “Contact Us” form on the website, applying for a position with Medallia, registering for a webinar or event, providing your information to us in order to receive our services, or when participating in our Operational Customer Experience Management Assessment (“OCEM Assessment”).

The information you give us may include email address, name, mailing address, telephone number, company name, company address, geolocation data, credit card information, job title, account information, chat conversations, video submissions, and any updates to information provided to us.

Please note that we need certain types of information so that we can provide services to you. If you do not provide us with such information, or if you ask us to delete it, you may no longer be able to access our services.

Medallia may collect Personal Information when a candidate submits an application for employment, including personal data contained within a resume or curriculum vitae (including names, contact details, employment and education history), and, when applicable, Equal Employment Opportunity information that may be regarded as sensitive information in some countries (e.g., gender, ethnicity, disability status, veteran status). This Personal Information is collectively referred to as applicant data.

If you are an employee at an organization that uses Medallia, we may collect, store and share your contact info, bio (if applicable), and picture (if applicable). This makes it possible for us to keep track of you and return the correct information to you. We also use this to personalize the surveys and feedback requests we send on your behalf. We do this at the direction of your employer, and their own privacy policies are in effect as well. We also collect and store information about how you use the platform.We use this to determine how best to serve you.

2.2 Information We May Collect About You

We may automatically collect any of the following information each time you visit the website:

  • Technical information, including the Internet Protocol (IP) address used to connect to the Internet, domain name and geolocation data, the file(s) requested, browser type, device, and version, browser plug-in types and versions, operating system and platform; and
  • Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from the website (including date and time), length of visits to certain pages, page interaction information (such as downloading, scrolling, clicks, and mouse-overs) and methods used to browse away from the page.

Some of the data we collect is anonymous information sent by your browser when you visit our websites, however if/when you identify yourself by filling out a form, some data (such as what pages you view on our websites) will be connected to your personal information.

For more information about our use of cookies and tracking technologies, please see section 9 of this Privacy Policy.

2.3 Website Feedback Survey and OCEM Assessments

We collect survey information from digital surveys embedded in our website. Medallia can access and use survey feedback you choose to provide to evaluate your impression of and interactions with our website, and to improve your browsing experience. Our survey allows you to provide your name and email address should you be interested in signing up for an event with us, or indicate what brought you to our site, including, for example, recruitment opportunities or product demos. The survey also allows you to take a screenshot of portions of our website that you would like to provide feedback about. This survey collects analytics information such as your IP address and type of web browser or mobile device used in accessing our site. We also allow you to engage with our OCEM Assessment to assess your customer experience preparedness. We collect OCEM Assessment responses to refine our communication with prospective customers. We also use this information to help customers further define their customer experience goals. You may provide additional information within the OCEM Assessment, including, for example, name, email address, employer and title. We use this information to contact you about your OCEM Assessment results and Medallia products and services.

2.4 Information We May Receive From Other Sources

We will receive information about you if:

  • You obtain our services through one of our resellers or partners. The types of information that we may receive are the same as the information that you may give to us detailed in section 2.1 above.
  • You use any of the other websites we operate or the other services we provide. In this case, we will inform you when we collect that data that it may be shared internally and combined with data collected on the website. We work closely with third parties (including, for example, advertising networks, and analytics and search information providers) and may receive information about you from them. Information collected is used by Medallia to determine your company’s interest in Medallia’s products and services. You may opt out of these communications at any time by clicking the “unsubscribe” link in the email correspondence.
  • You apply for a position with Medallia.

In some instances, Medallia engages with third party sources to obtain additional information about you. For example, Medallia collects contact information from professional network intelligence companies or industry event providers. Information collected by professional network intelligence companies is publicly available and used by Medallia’s talent acquisition team to determine your interest in employment with Medallia.

2.5 No Minor Data Collection Intended

Medallia’s website and recruiting efforts are directed to people who are at least 16 years of age or older. In the event that we have inadvertently collected data of an individual who is younger than 16, we will remove this data from our system within a reasonable time period. To make such a request, please contact us here.

 

3. Use of Information

We, or third-party data processors acting on our behalf, collect, use and store the Personal Information listed above. We will use your Personal Information in order to deliver your contracted services, in order to comply with applicable laws, where we have obtained your consent, or where it is in the legitimate interests of Medallia to handle your Personal Information. More specifically, we collect, use and store your Personal Information for the following reasons:

  • To register you for webinars/seminars/conferences.
  • To inform you about Customer Experience Management certification courses.
  • To assign a password.
  • To ensure that content from the website and services is presented in the most efficient manner for you.
  • To provide you with information, products or services that you request from us or which we feel may interest you.
  • To carry out our obligations arising from any contracts entered into between you and us.
  • To allow you to participate in interactive features (e.g., live chat) when you choose to do so.
  • To notify you about changes to our products or services and to keep you informed about our fees and charges.
  • To improve the quality and accuracy of the services.
  • To allow you to access and use the website and to register for an account.
  • To carry out activities in the legitimate interests of Medallia, for example, pursuing debt or ensuring the security of our services and the website.
  • To carry out statistical analysis and market research.
  • For marketing, advertising and promotional purposes.
  • For the purposes of improving and maintaining the website, preparing reports or compiling statistics in order to improve our services. Such details will be anonymized as much as reasonably possible, and you will not be identifiable from the data collected.
  • For the recruiting and hiring process, including providing you with information about Medallia career opportunities.
  • To process applications for employment, assist with the interview experience and, in some cases, supplement the employment onboarding process.
  • Medallia may use aggregate applicant data to track its diversity and inclusion efforts to meet its applicable legal requirements.
  • To take other action you request when you supply the Personal Information.

 

4. Data Retention

We retain Personal Information for as long as you use the services we provide, as long as needed to carry out our legitimate business interests, and then as required to comply with applicable laws. For information about specific retention periods, please contact us here.

 

5. Disclosure of Information

We will not sell, hire, lease or rent your Personal Information that we collect to any third party without notifying you and/or obtaining your consent, except as expressly set forth in this section. Where you have given your consent for us to use your information in a particular way, but later change your mind, please contact us as set forth in section 13 of this Privacy Policy in order to revoke such consent.

5.1 Medallia Group Companies

Medallia may share your Personal Information with any Medallia Group Company, a group that consists of Medallia’s subsidiaries and affiliated entities worldwide.

5.2 Categories of Third Parties

Any third parties with whom we share your Personal Information are limited (by law and by contract) in their ability to use your Personal Information for any purpose other than to provide services for us. We will always ensure that any third parties with whom we share your Personal Information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws. We will share your Personal Information with the following categories of third parties:

  • Our service providers and subcontractors including, but not limited to, payment processors, suppliers of technical and support services and cloud service providers;
  • Companies that assist us in our marketing, advertising and promotional activities;
  • Companies that assist in our recruiting and hiring activities;
  • Analytics and search engine providers that assist us in the improvement and optimization of the website; and
  • Systems integrators and service providers who resell our products and services.

Service providers that are provided access to Personal Information are evaluated by our vendor risk management program and agree to appropriate security and privacy safeguards when accessing or storing our Personal Information. Service providers are required to enter into Data Processing Agreements with Medallia.

5.3 Other Third Party Disclosures

We will also disclose your Personal Information to third parties:

  • In the event we sell or buy any business or assets, in which case we may disclose your Personal Information to the prospective seller or buyer of such business or asset;
  • If Medallia, or substantially all of its assets, is acquired by a third party, in which case information held by it about its customers and partners will be one of the transferred assets;
  • If Medallia is under a duty to disclose or share your Personal Information in order to comply with any legal obligation or any lawful request from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity; or
  • In order to enforce or apply Medallia’s terms and conditions or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity.

 

6. Protection of Personal Information

Medallia is committed to taking steps to protect Personal Information you provide to us, including administrative, technical and physical measures to safeguard Personal Information against loss, theft, misuse, unauthorized access, disclosure, alteration and destruction. For more details on Medallia’s security measures, please visit Trust at Medallia.

 

7. Your Privacy Rights

7.1 Data Subject Requests

Subject to the conditions set forth under applicable law, you have the right to request to access, review, correct, update, suppress, restrict or delete Personal Information that you have provided to us. You have the right to request an electronic copy of Personal Information for purposes of transmitting it to another company. You have the right to ask us to not process your Personal Information for marketing purposes. You have the right to not be subject to a significant decision based solely on automated processing, including profiling. You may submit such requests by contacting us here. We will respond to your request in accordance with applicable law. In your request, you must advise what Personal Information you would like to access, review, correct, update, suppress, restrict or delete; or otherwise let us know what limitations you would like to put on our use of your Personal Information. We may need to verify your identity before completing your rights request by, for example, verifying your ownership of the relevant email account. If you are an authorized agent wishing to exercise rights on behalf of a California consumer, please contact us using the same link above.

Please note that we may need to retain certain Personal Information for recordkeeping purposes and/or to complete transactions that you began prior to requesting a change or deletion. In the event your Personal Information is processed on the basis of your consent, you may withdraw consent at any time by contacting us here and specifying the details of your request. However, any withdrawal of consent will not affect the lawfulness of any processing based on consent before it is withdrawn.

7.2 Exercising Opt-Out Preferences

If you have previously given us consent to use your Personal Information for marketing purposes and you now wish to withdraw your consent, you may opt out from receiving marketing communications (a) by clicking the “unsubscribe” link at the bottom of our communication with you; or (b) by contacting us herePlease note that opting out may prevent us from providing you with our services or information requested by you.

If you would like to opt out of Customer surveys, please directly contact the Customer you wish to unsubscribe from. 

7.3 Complaints

If you are in a jurisdiction with a privacy rights enforcement authority, you may lodge a complaint with that authority in your own state or country of residence, if you consider that the collection and use of your Personal Information infringes this Privacy Policy or applicable law.

 

8. Transfers of Information

Data may be processed by Medallia Group Companies and third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the UK or EEA), Medallia signs data processing agreements with our customers, partners and vendors that have robust privacy and security terms, including, where appropriate (i.e. if you are in the UK or the EEA), the Standard Contractual Clauses (also known as the “EU Model Clauses”).

Your Personal Information may also be processed by staff operating in the United States or outside the EEA or Switzerland that are working for us, other members of our group or third-party data processors. Such staff may be engaged in, among other things, the provision of our services to you, the processing of transactions and/or the provision of support services. By providing us with your Personal Information you acknowledge and agree to any such transfer, storage and processing.

We will always take steps to ensure that such transfers comply with applicable privacy laws, and we will take all reasonable precautions to ensure that your Personal Information is treated securely and in accordance with this Privacy Policy.

<

9. Use of Cookies

A cookie is usually a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity.

Cookies were designed to be reliable ways for websites to remember the activity that a user had taken in the past such as indicating their preferences. We and our third-party partners and providers may also use other, related technologies to collect this information, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, “cookies”).

9.2 What We Collect When Using Cookies

We and our third-party partners and providers may use cookies to automatically collect certain types of usage information when you visit or interact with our email communications, websites and other online services. For example, when you visit Medallia’s website, we collect IP address, browser type, referring/exit pages, operating system, date/time stamp, clickstream data, and other similar information. We may collect analytics data or use third-party analytics tools such as Google Analytics to help us measure usage and activity trends for our online services and better understand our customer base.

9.3 How We Use That Information

We use or may use the data collected through cookies to: (a) remember information so that you will not have to re-enter it during your visit or the next time you visit our websites and online services; (b) provide and monitor the effectiveness of our websites and online services; (c) monitor online usage and activities of our websites and online services; (d) diagnose errors and problems with our websites and online services; (e) otherwise plan for and enhance our online services; and (f) facilitate the purposes identified in this Privacy Policy.

Cookies, beacons, tags and scripts are used by Medallia and our partners (e.g., marketing partners), affiliates, or analytics or service providers on our website. We and our marketing partners also use the information we collect through cookies to understand your browsing activities, including across unaffiliated third-party sites, so that we can deliver ads and information about products and services that may be of interest to you. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click here). Please note that when you opt out of receiving interest-based advertisements, this does not mean you will no longer see advertisements from us or on our online services. It means that the online ads that you do see will not be based on your interests.

We use Local Shared Objects (LSOs) to store content information and preferences. Third parties with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity use LSOs such as provided by HTML5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.

Please note that we link some of the Personal Information we collect through cookies with the other Personal Information that we collect about you and for the purposes described in this Privacy Policy.

9.4 Your Choices About Cookies

If you would prefer not to accept cookies, most browsers will allow you to: (i) change your browser settings to notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies. Please note that doing so may negatively impact your experience using our online services, as some features and services on our online services may not work properly. Depending on your device and operating system, you may not be able to delete or block all cookies. In addition, if you want to reject cookies across all your browsers and devices, you will need to do so on each browser on each device you actively use. You may also set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our email and performed certain functions with it.

Some Medallia products use Google Analytics for purposes of improving product performance. For more information on Google Analytics, and how it collects and processes data visit the site “How Google Uses Information From Sites or Apps that Use our Services,” located at https://policies.google.com/technologies/partner-sites.

9.5 Your Choices About Online Ads

We support the self-regulatory principles for online behavioral advertising (Principles) published by the Digital Advertising Alliance (DAA). This means that we allow you to exercise choice regarding the collection of information about your online activities over time and across third-party websites for online interest-based advertising purposes. More information about these Principles can be found at www.aboutads.info. If you want to opt out of receiving online interest-based advertisements on your internet browser from advertisers and third parties that participate in the DAA program and perform advertising-related services for us and our partners, please follow the instructions at www.aboutads.info/choices, or http://www.networkadvertising.org/choices/ to place an opt-out cookie on your device indicating that you do not want to receive interest-based advertisements. Opt-out cookies only work on the internet browser and device they are downloaded onto. If you want to opt out of interest-based advertisements across all your browsers and devices, you will need to opt out on each browser on each device you actively use. If you delete cookies on your device generally, you will need to opt out again.

If you want to opt out of receiving online interest-based advertisements on mobile apps, please follow the instructions at http://www.aboutads.info/appchoices.

Please note that when you opt out of receiving interest-based advertisements, this does not mean you will no longer see advertisements from us or on our online services. It means that the online ads that you do see from DAA program participants should not be based on your interests. We are not responsible for the effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs. In addition, third parties may still use cookies to collect information about your use of our online services, including for analytics and fraud prevention as well as any other purpose permitted under the DAA’s Principles.

 

10. Third Party Websites

The website may, from time to time, contain links to other websites operated by third parties. Please note that this Privacy Policy applies solely to the information collected from the website, and we cannot be responsible for Personal Information collected and stored by third parties. If you choose to visit any websites operated by third parties, then their privacy policies would apply, and you should carefully read such third parties’ privacy policies before submitting any Personal Information to those websites. We do not endorse or otherwise accept any responsibility or liability for the content of such third-party websites, terms and conditions or policies.

 

11. Medallia and CCPA

11.1 California Consumer Privacy Act (CCPA) Activities

In this section, “business,” “business purpose,” “consumer,” “commercial purpose,” “personal information,” “sale” or “selling,” and “service provider” refer to the definitions in the CCPA.

Medallia has two areas of activity that are related to the CCPA:

  • First, Medallia collects data from consumers in the course of providing Medallia products and services  to its clients. In this activity, Medallia acts strictly as a “service provider” to our clients under the CCPA, and our clients are “businesses”.  In the Medallia products and services, Medallia collects customer data based on our clients’ instructions. For example, our clients specify what consumers we should contact to provide feedback, when we should contact them (e.g., after completing a purchase at a client’s retail store), how we should contact them (e.g., email or SMS), how often we should send them reminders to provide a response, and what questions are asked. Medallia’s clients also decide how to use or respond to feedback that is collected.
  • Second, Medallia collects data from consumers in the course of its marketing and recruiting efforts. This includes information we collect voluntarily from forms on our website and event registrations, information we collect automatically when you visit our website, apply for a position, and information we obtain from third party sources. In this activity, Medallia acts as a “business” under the CCPA.

11.2 Handling Personal Information Under CCPA

Regardless of which area of activity applies to you, Medallia does not sell your personal information.

To be clear, in the previous 12 months we have not sold, rented, released, disclosed, disseminated, made available, transferred, or otherwise communicated a consumer’s personal information to another business or third party for monetary or other valuable consideration. If that changes, we will update this Privacy Policy.

Further, when we provide the Medallia products and services to our clients, we do not:

  • process personal information for any commercial purpose other than providing our clients the products and services they have purchased; or
  • retain, use or disclose personal information outside of the scope of the agreements we have with our clients.

11.3 Personal Information Collected and Disclosures for Business Purposes

The CCPA requires that we disclose the categories of personal information we collect about consumers, and the categories of personal information we disclose for a business purpose.

The chart below details where you find information about the categories of personal information that Medallia has collected in the previous 12 months for each activity related to the CCPA.

 

Activity Where you can find information
Providing the Medallia products and services to Medallia clients as a “service provider” The categories of personal information Medallia collects about consumers vary depending on our clients’ implementation and use of our software. For a generalized description of these categories, please see the Medallia Customer DPA located here.

For more information on the types of data collected by a particular Medallia client, refer to the privacy policy or communications of the Medallia client.

Our clients’ privacy policies are commonly located in the Medallia survey invitation email (for web-based surveys) or on the client’s web site or mobile application (for in-the-moment surveys).

Carrying out Medallia’s marketing and recruiting efforts as a “business” See section 2 (Types of Information Collected) of this Privacy Policy.

 

The chart below details where you can find information about the categories of information we disclose for a business purpose in the previous 12 months.

 

Activity Where you can find information
Providing the Medallia products and services to Medallia clients as a “service provider” The categories of personal information Medallia discloses for a business purpose vary depending on the features of our software our clients use, and the servicing and support they have purchased. For a generalized description of these disclosures, please see the Medallia Customer DPA located here.

For more information on the disclosures made to a particular Medallia client, refer to the privacy policy or communications from the Medallia client.

Our clients’ privacy policies are commonly located in the Medallia survey invitation email (for web-based surveys) or on the client’s web site or mobile application (for in-the-moment surveys).

Carrying out Medallia’s marketing and recruiting efforts as a “business” See section 5 (Disclosure of Information) of this Privacy Policy.

 

11.4 Consumer Rights Under the CCPA

Your rights under the CCPA include the right to request a copy of the specific personal information collected about you in the 12 months prior to the request, and a business’s data collection practices (including categories of information collected, how information is used, and who it is disclosed to). We will generally refer to these as “access requests”.

In addition, with some exceptions, you can request deletion of the personal information that is collected about you. We will generally refer to these as “deletion requests”.

You have a right not to receive discriminatory treatment for exercising their CCPA rights.

With respect to personal data of consumers collected in Medallia products and services, Medallia’s clients are responsible for fulfilling access and deletion requests. Medallia supports these requests by offering our clients product features, processes and assistance in exporting personal information about individuals. These product features and processes complete the data deletion within 30 days of receiving the request from our client.

With respect to the personal data of consumers collected in Medallia’s marketing and recruiting efforts, we are responsible for fulfilling access and deletion requests.

The chart below details how you can exercise your rights under the CCPA.

 

Activity How to exercise your access and deletion rights
Providing the Medallia products and services to Medallia clients as a “service provider” Please contact the Medallia client identified in the communication you received.

Contact information is commonly located within the communication or in a privacy policy linked from the communication.

Carrying out Medallia’s marketing and recruiting efforts as a “business” Please submit a request to our Marketing team here.

In the request, please be as specific as possible in relation to the personal information you wish to access or delete. Once we receive the request, we will review it, and process the request accordingly. If we need additional information to verify your identity, we will let you know.

Any identifying information in such requests will be used solely for verification, and to communicate with you. We will respond to the request within 45 days of receipt, or notify you if we require additional time.

 

12. Changes to the Privacy Policy

We may update this Privacy Policy from time to time. By continuing to use the services and the website, you agree to the latest version of this Privacy Policy. Any future changes we make to this Privacy Policy will be posted on this page, sent to our clients via email, or shared through other appropriate channels. Please visit this page frequently to check for any updates or changes to this Privacy Policy. If you would like to review an archive of our previous privacy policies, please visit our Privacy Policy Archive.

 

13. Contact Us

If you have any questions or comments about Medallia’s Privacy Policy or the practices of this site, if you would like to issue a complaint, or if you have an unresolved privacy and data use concern, we’d like to hear from you.  Medallia responds to privacy-related requests in a timely fashion and pursuant to applicable law. To make a privacy-related request or to contact our Data Protection Officer, please contact us through the form found here, by phone at +1 877-392-2794, or by mail at the following address:

Medallia, Inc.
6220 Stoneridge Mall Rd Floor 2
Pleasanton, CA 94588
Attn: Data Protection Officer