Why Medallia
Why Medallia

Learn how partnering with us can transform your business — for both customers and employees.
Success Stories

See results from brands like yours
ROI Calculator

Optimize your program spend
Enterprise-Grade Platform

Explore all features and benefits
World-Class Service

Get support for crucial operations
Global Impact

Impact the world beyond your own
AI Leadership

Follow our AI experience innovations
Partner Network

Access approved, localized expertise
Platform
Medallia Platform

Explore how experiences come together in one powerful platform.
Comprehensive Feedback Capture

Collect every signal for more meaningful data
Administration

Run complex, global programs with self-service
Role-Based Reporting

Close the loop and drive action quickly
AI & Analytics

Uncover essential insights from every interaction
Integrations

Easily share data across systems and teams
Pricing

Expand your program with flexible pricing
Enterprise-Grade Security

Keep your business data safe and compliant
Solutions
Customer Experience

End-to-end customer experience management and orchestration
Overview
Customer Experience Management
Digital Experience
Experience Orchestration
Personalized Messaging
Employee Experience

Employee listening and activation solutions
Overview
Employee Listening
Employee Activation
Ideas
Contact Center

Improve agent engagement and optimize service quality
Overview
Conversation Intelligence
Agent Coaching
Quality Management
Intelligent Callback
Market Research

Expert research strategy, design, analytics, and deliverables
Overview
Agile Research
Consumer Intelligence
Video
Research Strategy & Services
Industries
Automotive
Financial Services
Healthcare
Insurance
Life Sciences
Manufacturing
Public Sector
Retail
Restaurants
Technology & Services
Telco & Media
Travel & Hospitality
Utilities
Resources
Discover

Get guidance from leading experience professionals across a variety of mediums.
Blog
Newsroom
Customer Stories
Event Calendar
Careers
Medallia Xchange
Learn

Whether a tenured Medallia pro or a burgeoning advocate, there’s plenty to learn.
Training & Certification
Medallia User Group
Experience 101
Experience Now
Resource Library
Partners
Support

Our team is ready to support you with knowledge, help, and new enhancements.

Knowledge Center
Experts on Demand
Contact Support
exp
EXP Now

Medallia’s On-Demand Streaming Network

Watch Now

English

SELECT YOUR REGION & LANGUAGE

  • English

  • France (Français)

  • Germany (Deutsch)

  • Spain (Español)

  • Latin America (Español)

  • Italy (Italiano)

  • Japan (日本語)

  • Korea (한국어)

  • Brazil (Português Brasileiro)

Request a demo

Privacy Policy Archive

Privacy Resources

Data Privacy Framework Notice Data Privacy @ Medallia Customer DPA Sub-processor List
Logos

February 18, 2021 through March 17, 2024

 

Overview

Medallia, Inc. recognizes and respects your right to privacy. At Medallia, we want to provide you with information about the collection and use of your personal data. When we collect data, we do so in compliance with this Privacy Policy, which describes how we use and process the data we collect in more detail. This Privacy Policy also describes other important topics relating to information privacy. If you have any questions, please contact us here.

We encourage you to read this Privacy Policy carefully to understand how we handle your Personal Information.

This privacy policy covers the products owned by Medallia or any of its subsidiaries that link to this page. To learn more, click the links below:

Medallia and Customer Data
Types of Information Medallia Collects
Use of Information
Data Retention
Disclosure of Information
Protection of Personal Information
Your Privacy Rights
Transfers of Information
Use of Cookies
Third Party Websites
Medallia and CCPA/CPRA
Changes to Privacy Policy
Contact Us

 

1. Medallia and Customer Data

Medallia’s customers are organizations such as businesses, who use our services to help them understand employee and customer experiences. Medallia’s customers may electronically submit data or information for hosting and processing purposes (“Customer Data”). Medallia does not review, share, distribute or reference any such Customer Data except as provided in the customer’s contract, and if applicable, in the Data Processing Agreement (“DPA”) between Medallia and our customer. Medallia may access Customer Data only for the purpose of providing services, preventing or addressing service or technical problems at our customer’s request in connection with customer support matters, or as may be required by law. A copy of our standard Customer DPA is available here. If you have questions about personal data you have entered into a Medallia service used by one of our customers, or if you want to exercise any of your rights regarding your personal data, our customer contract requires that we redirect your inquiry back to that Medallia customer.

Medallia may transfer Customer Data to partners that help us provide our services. Transfers to third parties are covered by the provisions of our customer and partner agreements. To see a list of our Customer Data related subprocessors, please review Annex A of our DPA available here.

Medallia may retain Customer Data collected on behalf of our customers for as long as that customer’s account is active or as needed to provide services, and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes.

For information about email survey invitations or other communications sent by Medallia on behalf of one of our customers, including opt-out and data deletion requests, please visit our opt-out FAQ. For general support inquiries, including problems with survey completion and incorrect survey invitations, please visit our survey support portal.

 

2. Types of Information Medallia Collects

When acting as a data controller with respect to website data, visitor data, and applicant data, we may collect and process any of the following information about you, which we refer to as “Personal Information” throughout this Privacy Policy:

2.1 Information You Give Us

You may give us information about yourself by using the online forms provided on the website or by contacting us by phone, e-mail or other means. This includes, for example, filling in the “Contact Us” form on the website, applying for a position with Medallia, registering for a webinar or event, providing your information to us in order to receive our services, or when participating in our Operational Customer Experience Management Assessment (“OCEM Assessment”).

The information you give us may include email address, name, mailing address, telephone number, company name, company address, geolocation data, credit card information, job title, account information, chat conversations, video submissions, and any updates to information provided to us.

Please note that we need certain types of information so that we can provide services to you. If you do not provide us with such information, or if you ask us to delete it, you may no longer be able to access our services.

Medallia may collect Personal Information when a candidate submits an application for employment, including personal data contained within a resume or curriculum vitae (including names, contact details, employment and education history), and, when applicable, Equal Employment Opportunity information that may be regarded as sensitive information in some countries (e.g., gender, ethnicity, disability status, veteran status). This Personal Information is collectively referred to as applicant data.

If you are an employee at an organization that uses Medallia, we may collect, store and share your contact info, bio (if applicable), and picture (if applicable). This makes it possible for us to keep track of you and return the correct information to you. We also use this to personalize the surveys and feedback requests we send on your behalf. We do this at the direction of your employer, and their own privacy policies are in effect as well. We also collect and store information about how you use the platform. We use this to determine how best to serve you.

2.2 Information We May Collect About You

We may automatically collect any of the following information each time you visit the website:

  • Technical information, including the Internet Protocol (IP) address used to connect to the Internet, domain name and geolocation data, the file(s) requested, browser type, device, and version, browser plug-in types and versions, operating system and platform; and
  • Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from the website (including date and time), length of visits to certain pages, page interaction information (such as downloading, scrolling, clicks, and mouse-overs) and methods used to browse away from the page.

Some of the data we collect is anonymous information sent by your browser when you visit our websites, however if/when you identify yourself by filling out a form, some data (such as what pages you view on our websites) will be connected to your personal information.

For more information about our use of cookies and tracking technologies, please see section 10 of this Privacy Policy.

2.3 Website Feedback Survey and OCEM Assessments

We collect survey information from digital surveys embedded in our website. Medallia can access and use survey feedback you choose to provide to evaluate your impression of and interactions with our website, and to improve your browsing experience. Our survey allows you to provide your name and email address should you be interested in signing up for an event with us, or indicate what brought you to our site, including, for example, recruitment opportunities or product demos. The survey also allows you to take a screenshot of portions of our website that you would like to provide feedback about. This survey collects analytics information such as your IP address and type of web browser or mobile device used in accessing our site. We also allow you to engage with our OCEM Assessment to assess your customer experience preparedness. We collect OCEM Assessment responses to refine our communication with prospective customers. We also use this information to help customers further define their customer experience goals. You may provide additional information within the OCEM Assessment, including, for example, name, email address, employer and title. We use this information to contact you about your OCEM Assessment results and Medallia products and services.

2.4 Information We May Receive From Other Sources

We will receive information about you if:

  • You obtain our services through one of our resellers or partners. The types of information that we may receive are the same as the information that you may give to us detailed in section 2.1 above.
  • You use any of the other websites we operate or the other services we provide. In this case, we will inform you when we collect that data that it may be shared internally and combined with data collected on the website. We work closely with third parties (including, for example, advertising networks, and analytics and search information providers) and may receive information about you from them. Information collected is used by Medallia to determine your company’s interest in Medallia’s products and services. You may opt out of these communications at any time by clicking the “unsubscribe” link in the email correspondence.
  • You apply for a position with Medallia.

In some instances, Medallia engages with third party sources to obtain additional information about you. For example, Medallia collects contact information from professional network intelligence companies or industry event providers. Information collected by professional network intelligence companies is publicly available and used by Medallia’s talent acquisition team to determine your interest in employment with Medallia.

2.5 No Minor Data Collection Intended

Medallia’s website and recruiting efforts are directed to people who are at least 16 years of age or older. In the event that we have inadvertently collected data of an individual who is younger than 16, we will remove this data from our system within a reasonable time period. To make such a request, please contact us here.

 

3. Use of Information

We, or third-party data processors acting on our behalf, collect, use and store the Personal Information listed above. We will use your Personal Information in order to deliver your contracted services, in order to comply with applicable laws, where we have obtained your consent, or where it is in the legitimate interests of Medallia to handle your Personal Information. More specifically, we collect, use and store your Personal Information for the following reasons:

  • To register you for webinars/seminars/conferences.
  • To inform you about Customer Experience Management certification courses.
  • To assign a password.
  • To ensure that content from the website and services is presented in the most efficient manner for you.
  • To provide you with information, products or services that you request from us or which we feel may interest you.
  • To carry out our obligations arising from any contracts entered into between you and us.
  • To allow you to participate in interactive features (e.g., live chat) when you choose to do so.
  • To notify you about changes to our products or services and to keep you informed about our fees and charges.
  • To improve the quality and accuracy of the services.
  • To allow you to access and use the website and to register for an account.
  • To carry out activities in the legitimate interests of Medallia, for example, pursuing debt or ensuring the security of our services and the website.
  • To carry out statistical analysis and market research.
  • For marketing, advertising and promotional purposes.
  • For the purposes of improving and maintaining the website, preparing reports or compiling statistics in order to improve our services. Such details will be anonymized as much as reasonably possible, and you will not be identifiable from the data collected.
  • For the recruiting and hiring process, including providing you with information about Medallia career opportunities.
  • To process applications for employment, assist with the interview experience and, in some cases, supplement the employment onboarding process.
  • Medallia may use aggregate applicant data to track its diversity and inclusion efforts to meet its applicable legal requirements.
  • To take other action you request when you supply the Personal Information.

 

4. Data Retention

We retain Personal Information for as long as you use the services we provide, as long as needed to carry out our legitimate business interests, and then as required to comply with applicable laws. For information about specific retention periods, please contact us here.

 

5. Disclosure of Information

We will not sell, hire, lease or rent your Personal Information that we collect to any third party without notifying you and/or obtaining your consent, except as expressly set forth in this section. Where you have given your consent for us to use your information in a particular way, but later change your mind, please contact us as set forth in section 13 of this Privacy Policy in order to revoke such consent.

5.1 Medallia Group Companies

Medallia may share your Personal Information with any Medallia Group Company, a group that consists of Medallia’s subsidiaries and affiliated entities worldwide.

5.2 Categories of Third Parties

Any third parties with whom we share your Personal Information are limited (by law and by contract) in their ability to use your Personal Information for any purpose other than to provide services for us. We will always ensure that any third parties with whom we share your Personal Information are subject to privacy and security obligations consistent with this Privacy Policy and applicable laws. We will share your Personal Information with the following categories of third parties:

  • Our service providers and subcontractors including, but not limited to, payment processors, suppliers of technical and support services and cloud service providers;
  • Companies that assist us in our marketing, advertising and promotional activities;
  • Companies that assist in our recruiting and hiring activities;
  • Analytics and search engine providers that assist us in the improvement and optimization of the website; and
  • Systems integrators and service providers who resell our products and services.

Service providers that are provided access to Personal Information are evaluated by our vendor risk management program and agree to appropriate security and privacy safeguards when accessing or storing our Personal Information. Service providers are required to enter into Data Processing Agreements with Medallia.

5.3 Other Third Party Disclosures

We will also disclose your Personal Information to third parties:

  • In the event we sell or buy any business or assets, in which case we may disclose your Personal Information to the prospective seller or buyer of such business or asset;
  • If Medallia, or substantially all of its assets, is acquired by a third party, in which case information held by it about its customers and partners will be one of the transferred assets;
  • If Medallia is under a duty to disclose or share your Personal Information in order to comply with any legal obligation or any lawful request from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity; or
  • In order to enforce or apply Medallia’s terms and conditions or any other agreement or to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity.

 

6. Protection of Personal Information

Medallia is committed to taking steps to protect Personal Information you provide to us, including administrative, technical and physical measures to safeguard Personal Information against loss, theft, misuse, unauthorized access, disclosure, alteration and destruction. For more details on Medallia’s security measures Medallia, please visit Trust at Medallia.

 

7. Your Privacy Rights

7.1 Data Subject Requests

Subject to the conditions set forth under applicable law, you have the right to request to access, review, correct, update, suppress, restrict or delete Personal Information that you have provided to us. You have the right to request an electronic copy of Personal Information for purposes of transmitting it to another company. You have the right to ask us to not process your Personal Information for marketing purposes. You have the right to not be subject to a significant decision based solely on automated processing, including profiling. You may submit such requests by contacting us here. We will respond to your request in accordance with applicable law. In your request, you must advise what Personal Information you would like to access, review, correct, update, suppress, restrict or delete; or otherwise let us know what limitations you would like to put on our use of your Personal Information. We may need to verify your identity before completing your rights request by, for example, verifying your ownership of the relevant email account. If you are an authorized agent wishing to exercise rights on behalf of a California consumer, please contact us using the same link above.

Please note that we may need to retain certain Personal Information for recordkeeping purposes and/or to complete transactions that you began prior to requesting a change or deletion. In the event your Personal Information is processed on the basis of your consent, you may withdraw consent at any time by contacting us here and specifying the details of your request. However, any withdrawal of consent will not affect the lawfulness of any processing based on consent before it is withdrawn.

7.2 Exercising Opt-Out Preferences

If you have previously given us consent to use your Personal Information for marketing purposes and you now wish to withdraw your consent, you may opt out from receiving marketing communications (a) by clicking the “unsubscribe” link at the bottom of our communication with you; or (b) by contacting us here. Please note that opting out may prevent us from providing you with our services or information requested by you.

If you would like to opt out of Customer surveys, please directly contact the Customer you wish to unsubscribe from.

7.3 Complaints

If you are in a jurisdiction with a privacy rights enforcement authority, you may lodge a complaint with a that authority in your own state or country of residence, if you consider that the collection and use of your Personal Information infringes this Privacy Policy or applicable law.

 

8. Transfers of Information

Data may be processed by Medallia Group Companies and third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the UK or EEA), Medallia signs data processing agreements with our customers, partners and vendors that have robust privacy and security terms, including, where appropriate (i.e. if you are in the UK or the EEA), the Standard Contractual Clauses (also known as the “EU Model Clauses”).

Your Personal Information may also be processed by staff operating in the United States or outside the EEA or Switzerland that are working for us, other members of our group or third-party data processors. Such staff may be engaged in, among other things, the provision of our services to you, the processing of transactions and/or the provision of support services. By providing us with your Personal Information you acknowledge and agree to any such transfer, storage and processing.

We will always take steps to ensure that such transfers comply with applicable privacy laws, and we will take all reasonable precautions to ensure that your Personal Information is treated securely and in accordance with this Privacy Policy.

 

9. Use of Cookies

A cookie is usually a small piece of data sent from a website and stored in a user’s web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity.

Cookies were designed to be reliable ways for websites to remember the activity that a user had taken in the past such as indicating their preferences. We and our third-party partners and providers may also use other, related technologies to collect this information, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, “cookies”).

9.2 What We Collect When Using Cookies

We and our third-party partners and providers may use cookies to automatically collect certain types of usage information when you visit or interact with our email communications, websites and other online services. For example, when you visit Medallia’s website, we collect IP address, browser type, referring/exit pages, operating system, date/time stamp, clickstream data, and other similar information. We may collect analytics data or use third-party analytics tools such as Google Analytics to help us measure usage and activity trends for our online services and better understand our customer base.

9.3 How We Use That Information

We use or may use the data collected through cookies to: (a) remember information so that you will not have to re-enter it during your visit or the next time you visit our websites and online services; (b) provide and monitor the effectiveness of our websites and online services; (c) monitor online usage and activities of our websites and online services; (d) diagnose errors and problems with our websites and online services; (e) otherwise plan for and enhance our online services; and (f) facilitate the purposes identified in this Privacy Policy.

Cookies, beacons, tags and scripts are used by Medallia and our partners (e.g., marketing partners), affiliates, or analytics or service providers on our website. We and our marketing partners also use the information we collect through cookies to understand your browsing activities, including across unaffiliated third-party sites, so that we can deliver ads and information about products and services that may be of interest to you. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt-out by clicking here (or if located in the European Union click here). Please note that when you opt out of receiving interest-based advertisements, this does not mean you will no longer see advertisements from us or on our online services. It means that the online ads that you do see will not be based on your interests.

We use Local Shared Objects (LSOs) to store content information and preferences. Third parties with whom we partner to provide certain features on our site or to display advertising based upon your Web browsing activity use LSOs such as provided by HTML5 to collect and store information. Various browsers may offer their own management tools for removing HTML5 LSOs.

Please note that we link some of the Personal Information we collect through cookies with the other Personal Information that we collect about you and for the purposes described in this Privacy Policy.

9.4 Your Choices About Cookies

If you would prefer not to accept cookies, most browsers will allow you to: (i) change your browser settings to notify you when you receive a cookie, which lets you choose whether or not to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies. Please note that doing so may negatively impact your experience using our online services, as some features and services on our online services may not work properly. Depending on your device and operating system, you may not be able to delete or block all cookies. In addition, if you want to reject cookies across all your browsers and devices, you will need to do so on each browser on each device you actively use. You may also set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our email and performed certain functions with it.

Some Medallia products use Google Analytics for purposes of improving product performance. For more information on Google Analytics, and how it collects and processes data visit the site “How Google Uses Information From Sites or Apps that Use our Services,” located at https://policies.google.com/technologies/partner-sites.

9.5 Your Choices About Online Ads

We support the self-regulatory principles for online behavioral advertising (Principles) published by the Digital Advertising Alliance (DAA). This means that we allow you to exercise choice regarding the collection of information about your online activities over time and across third-party websites for online interest-based advertising purposes. More information about these Principles can be found at www.aboutads.info. If you want to opt out of receiving online interest-based advertisements on your internet browser from advertisers and third parties that participate in the DAA program and perform advertising-related services for us and our partners, please follow the instructions at www.aboutads.info/choices, or http://www.networkadvertising.org/choices/ to place an opt-out cookie on your device indicating that you do not want to receive interest-based advertisements. Opt-out cookies only work on the internet browser and device they are downloaded onto. If you want to opt out of interest-based advertisements across all your browsers and devices, you will need to opt out on each browser on each device you actively use. If you delete cookies on your device generally, you will need to opt out again.

If you want to opt out of receiving online interest-based advertisements on mobile apps, please follow the instructions at http://www.aboutads.info/appchoices.

Please note that when you opt out of receiving interest-based advertisements, this does not mean you will no longer see advertisements from us or on our online services. It means that the online ads that you do see from DAA program participants should not be based on your interests. We are not responsible for the effectiveness of, or compliance with, any third-parties’ opt-out options or programs or the accuracy of their statements regarding their programs. In addition, third parties may still use cookies to collect information about your use of our online services, including for analytics and fraud prevention as well as any other purpose permitted under the DAA’s Principles.

 

10. Third Party Websites

The website may, from time to time, contain links to other websites operated by third parties. Please note that this Privacy Policy applies solely to the information collected from the website, and we cannot be responsible for Personal Information collected and stored by third parties. If you choose to visit any websites operated by third parties, then their privacy policies would apply, and you should carefully read such third parties’ privacy policies before submitting any Personal Information to those websites. We do not endorse or otherwise accept any responsibility or liability for the content of such third-party websites, terms and conditions or policies.

 

11. Medallia and CCPA

11.1 California Consumer Privacy Act (CCPA) Activities

In this section, “business,” “business purpose,” “consumer,” “commercial purpose,” “personal information,” “sale” or “selling,” and “service provider” refer to the definitions in the CCPA.

Medallia has two areas of activity that are related to the CCPA:

  • First, Medallia collects data from consumers in the course of providing Medallia products and services to its clients. In this activity, Medallia acts strictly as a “service provider” to our clients under the CCPA, and our clients are “businesses”. In the Medallia products and services, Medallia collects customer data based on our clients’ instructions. For example, our clients specify what consumers we should contact to provide feedback, when we should contact them (e.g., after completing a purchase at a client’s retail store), how we should contact them (e.g., email or SMS), how often we should send them reminders to provide a response, and what questions are asked. Medallia’s clients also decide how to use or respond to feedback that is collected.
  • Second, Medallia collects data from consumers in the course of its marketing and recruiting efforts. This includes information we collect voluntarily from forms on our website and event registrations, information we collect automatically when you visit our website, apply for a position, and information we obtain from third party sources. In this activity, Medallia acts as a “business” under the CCPA.

11.2 Handling Personal Information Under CCPA

Regardless of which area of activity applies to you, Medallia does not sell your personal information.

To be clear, in the previous 12 months we have not sold, rented, released, disclosed, disseminated, made available, transferred, or otherwise communicated a consumer’s personal information to another business or third party for monetary or other valuable consideration. If that changes, we will update this Privacy Policy.

Further, when we provide the Medallia products and services to our clients, we do not:

  • process personal information for any commercial purpose other than providing our clients the products and services they have purchased; or
  • retain, use or disclose personal information outside of the scope of the agreements we have with our clients.

11.3 Personal Information Collected and Disclosures for Business Purposes

The CCPA requires that we disclose the categories of personal information we collect about consumers, and the categories of personal information we disclose for a business purpose.

The chart below details where you find information about the categories of personal information that Medallia has collected in the previous 12 months for each activity related to the CCPA.

 

Activity Where you can find information
Providing the Medallia products and services to Medallia clients as a “service provider” The categories of personal information Medallia collects about consumers vary depending on our clients’ implementation and use of our software. For a generalized description of these categories, please see the Medallia Customer DPA located here.

For more information on the types of data collected by a particular Medallia client, refer to the privacy policy or communications of the Medallia client.

Our clients’ privacy policies are commonly located in the Medallia survey invitation email (for web-based surveys) or on the client’s web site or mobile application (for in-the-moment surveys).
Carrying out Medallia’s marketing and recruiting efforts as a “business” See section 2 (Types of Information Collected) of this Privacy Policy.

 

The chart below details where you can find information about the categories of information we disclose for a business purpose in the previous 12 months.

 

Activity Where you can find information
Providing the Medallia products and services to Medallia clients as a “service provider” The categories of personal information Medallia discloses for a business purpose vary depending on the features of our software our clients use, and the servicing and support they have purchased. For a generalized description of these disclosures, please see the Medallia Customer DPA located here.

For more information on the disclosures made to a particular Medallia client, refer to the privacy policy or communications from the Medallia client.

Our clients’ privacy policies are commonly located in the Medallia survey invitation email (for web-based surveys) or on the client’s web site or mobile application (for in-the-moment surveys).
Carrying out Medallia’s marketing and recruiting efforts as a “business” See section 5 (Disclosure of Information) of this Privacy Policy.

 

11.4 Consumer Rights Under the CCPA

Your rights under the CCPA include the right to request a copy of the specific personal information collected about you in the 12 months prior to the request, and a business’s data collection practices (including categories of information collected, how information is used, and who it is disclosed to). We will generally refer to these as “access requests”.

In addition, with some exceptions, you can request deletion of the personal information that is collected about you. We will generally refer to these as “deletion requests”.

You have a right not to receive discriminatory treatment for exercising their CCPA rights.

With respect to personal data of consumers collected in Medallia products and services, Medallia’s clients are responsible for fulfilling access and deletion requests. Medallia supports these requests by offering our clients product features, processes and assistance in exporting personal information about individuals. These product features and processes complete the data deletion within 30 days of receiving the request from our client.

With respect to the personal data of consumers collected in Medallia’s marketing and recruiting efforts, we are responsible for fulfilling access and deletion requests.

The chart below details how you can exercise your rights under the CCPA.

 

Activity How to exercise your access and deletion rights
Providing the Medallia products and services to Medallia clients as a “service provider” Please contact the Medallia client identified in the communication you received.

Contact information is commonly located within the communication or in a privacy policy linked from the communication.
Carrying out Medallia’s marketing and recruiting efforts as a “business” Please submit a request to our Marketing team here.

In the request, please be as specific as possible in relation to the personal information you wish to access or delete. Once we receive the request, we will review it, and process the request accordingly. If we need additional information to verify your identity, we will let you know.

Any identifying information in such requests will be used solely for verification, and to communicate with you. We will respond to the request within 45 days of receipt, or notify you if we require additional time.

 

12. Changes to the Privacy Policy

We may update this Privacy Policy from time to time. By continuing to use the services and the website, you agree to the latest version of this Privacy Policy. Any future changes we make to this Privacy Policy will be posted on this page, sent to our clients via email, or shared through other appropriate channels. Please visit this page frequently to check for any updates or changes to this Privacy Policy. If you would like to review an archive of our previous privacy policies, please visit our Privacy Policy Archive.

 

13. Contact Us

If you have any questions or comments about Medallia’s Privacy Policy or the practices of this site, if you would like to issue a complaint, or if you have an unresolved privacy and data use concern, we’d like to hear from you. Medallia responds to privacy-related requests in a timely fashion and pursuant to applicable law. To make a privacy-related request or to contact our Data Protection Officer, please contact us through the form found here or by mail at the following address:

Medallia, Inc.
6220 Stoneridge Mall Rd Floor 2
Pleasanton, CA 94588
Attn: Data Protection Officer

 

October 21, 2020 to February 17, 2021

Overview

Medallia Website Privacy Notice

Introduction

This notice addresses the data we collect through Medallia’s company websites, including www.medallia.com. Medallia uses this data for marketing purposes, including contacting prospective clients and understanding the ways users interact with our website.

Identity of the Data Controller

Medallia is the data controller for the marketing and website analytics data we collect. If you have additional questions about our practices as a data controller or if you would like to issue a complaint, you may contact us at [email protected] or by mail at the following addresses:

Privacy, Medallia, Inc.

575 Market Street Suite 1850, San Francisco, CA 94105

Privacy, Medallia Limited

5th Floor 80 Cheapside London EC2V 6EE

Marketing

What Data We Collect. Medallia collects data for its marketing efforts, including, information you voluntarily provide us, information we automatically collect from you, and information we obtain from third party sources (collectively, “Marketing Data”).

Information We Collect Voluntarily

Medallia collects information you submit through our website when signing up to receive information about our product, services, and industry, participating in our Operational Customer Experience Management Assessment (“OCEM Assessment”), or when registering for an event. The information you provide may include, for example, first and last name, email address, physical address, phone number, employer and employment title. We use this information to provide you with information that you might be interested in about our products, services and industry, share results related to your OCEM Assessment, and register you for events.

Information We Collect Automatically

In order to improve the Medallia website and understand how users are engaging with it, Medallia also collects information by using tracking technologies. This includes IP address, geolocation, time of website access, unique device ID, web browser and device information. For more information about our use of cookies and tracking technologies you may access our Cookies Notice by clicking here.

Information We Obtain from Third Party Sources

In some instances, Medallia engages with third party sources to obtain additional information about you. For example, Medallia collects business contact information from Medallia partners, industry event providers, or business intelligence providers. Information collected by business intelligence providers is publicly available and used by Medallia marketing and sales teams to determine your company’s interest in Medallia’s products and services. You may opt out of these communications at any time by clicking the “unsubscribe” link in the email correspondence or by accessing our Preference Center here.

How We Use Personal Data.

Marketing Outreach and Communication. Medallia uses Marketing Data to communicate with you for the purpose of providing you with information about Medallia products and services. We may also inform you about Medallia resources, news and updates, webinars, events, CEM certification courses, conferences, and information related to our blog. We provide this information to you via several channels, including, for example, direct mail and email communication, phone or SMS communication, event registration, onsite experience programs, ad targeting and retargeting efforts and website feedback surveys. Medallia also uses Marketing Data to understand the ways in which you access our website and to analyze trends related to usage. Medallia may analyze usage to evaluate our marketing effectiveness and retool portions of the site to provide a more convenient experience to you.

Website Feedback Survey and OCEM Assessment. We collect survey information from digital surveys embedded in our website. Medallia’s marketing team can access and use survey feedback you choose to provide to evaluate your impression of and interactions with our website, and improve your browsing experience. Our survey allows you to provide your name and email address should you be interested in signing up for an event with us, or indicate what brought you to our site, including, for example, recruitment opportunities or product demos. The survey also allows you to take a screenshot of portions of our website that you would like to provide feedback about. This survey collects analytics information such as your IP address and type of web browser or mobile device used in accessing our site. We also allow you to engage with our OCEM Assessment to assess your customer experience preparedness. Our marketing and sales teams collect OCEM Assessment responses to refine our communication with prospective customers. We also use this information to help customers further define their customer experience goals. You may provide additional information within the OCEM Assessment, including, for example, name, email address, employer and title. We use this information to contact you about your OCEM Assessment results and Medallia products and services.

Legal Basis for Processing. In all instances, Medallia processes Marketing Data only to the extent that it has a legal basis to do so. Generally, we rely on either a legitimate interest or consent to process Marketing Data. For more information about the legal basis for each of our processing activities contact [email protected].

Who Accesses Personal Data.

Medallia Marketing and Sales Professionals. Medallia marketing and sales teams in Medallia’s Group Companies can access Marketing Data for the purposes described above.

Third-Party Service Providers. Medallia may share

Marketing Data with third parties to (1) facilitate our communication with you; (2) providing analytics of Marketing Data and support Marketing operations; (3) assist with event registration; (4) tailor your advertisement experience; (5) to the extent required to support our technical security measures (including data loss prevention software providers). Service providers that are provided access to Marketing Data, including those who support our technical security measures and may process it incidentally are evaluated by our vendor risk management program and agree to appropriate security and privacy safeguards when accessing or storing Marketing Data. Service providers are required to enter into data processing agreements with Medallia. The majority of service providers are located in the United States, with some providers located internationally.

Medallia also uses web analytics services, which include Google Analytics. Google Analytics is a web analytics service provided by Google Inc. (“Google”). Google Analytics uses cookies and similar technologies to analyze how users use our website. The information generated about usage (including your shortened IP address) is transmitted to Google. This information is used to evaluate visitors’ use of the Medallia website, compile statistical reports on Medallia website activity, and provide other services related to the Medallia website. Google may also collect information about our visitors’ use of other websites. You may opt out of Google Analytics or access additional information about the service by clicking here.

Security. We maintain a comprehensive security program with appropriate organizational and technical security practices measures to protect data we collect. For more details, visit https://www.medallia.com/security/.

Storage Period. Medallia maintains Marketing Data for the period of time necessary to carry out our legitimate business interests. For information about specific retention periods, please contact us at [email protected].

Data Subject Access Requests. If you are a resident of the UK or EEA you have the following data protection rights:

  • If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us at [email protected].
  • You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
  • If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of your personal information. Contact details for data protection authorities in the EEA are available here. If you are in the UK, you can contact the ICO here.

Opt Out and Preference Center. Medallia offers opt-out mechanisms for marketing communications. If you exercise your right to opt out of marketing communications, you will be added to Medallia’s opt-out list as required by applicable law. Medallia does not send marketing communications to any e-mail address on the applicable opt-out list. Please note that this does not include any service communications, for example information about service interruptions or changes to terms and conditions.

If you wish to withdraw your consent from receiving marketing communication, you may opt out from receiving marketing communications by accessing our Preference Center here or by clicking the “unsubscribe” link at the bottom of our communication with you. In the Preference Center, you may also tailor the type of information we provide you.

International Data Transfer and Adequacy Laws

Marketing Data is processed by Medallia Group Companies and third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the UK or EEA):

Disclosure of Data for Legal Obligations. Medallia will provide data discussed in this notice to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Medallia’s legal rights, or (iii) to protect the vital interests of our clients and their employees and respondents, or those of any other person. When requested by legal authorities to disclose personal information, Medallia will inform the court of various factors justifying confidentiality and respondent anonymity. Medallia will communicate with the affected client or individual as soon as possible, unless prohibited by law or court order.

Disclosure of Data for Merger, Acquisition or Sale. If Medallia is involved in a merger, acquisition or sale of all or a portion of its assets, Medallia may transfer data discussed in this notice to the buyer or new parent company. In this circumstance, the appropriate individuals will be notified about the change in ownership and use of their personal data, as well as any choices they may have regarding personal data.

Collection of Personal Data of Minors. Medallia’s website is directed to people who are at least 16 years of age or older. In the event that we have inadvertently collected data of an individual who is younger than 16, we will remove this data from our system within a reasonable time period. To make such a request, please contact [email protected].

Privacy Contact. If you have any questions or comments about this privacy notice or the practices of this site, or unresolved privacy and data use concerns, please contact Medallia by e-mailing [email protected], faxing (650) 321-3156, calling (650) 321-3000, or writing Attention: Privacy, Medallia, Inc.,575 Market Street Suite 1850, San Francisco, CA 94105. Medallia responds to non-frivolous privacy-related requests in a timely fashion, not to exceed ten (10) business days.

 

 

April 6, 2020 through October 21, 2020

LAST REVIEWED AND UPDATED APRIL 6, 2020, DATE DEPRECATED OCTOBER 21, 2020

Overview

Last Reviewed and Updated April 6, 2020

At Medallia, we want to provide you with information about the collection and use of your personal data. The following privacy notices explain the different ways your personal data is collected and used, and how you can exercise your preferences.

  • The Medallia Experience Cloud Privacy Notice addresses the data we collect to provide our software-as-a-service (“SaaS”) platform to our clients.
  • The Website Privacy Notice addresses the data we collect from Medallia’s company websites, including www.medallia.com, and customer prospects in our marketing efforts.
  • The Recruitment Privacy Notice addresses the data we collect in our employee recruiting efforts.
  • The Cookies Notice addresses the cookies we use in the Medallia Experience Cloud and on our company websites.
  • The CCPA Notice addresses Medallia’s responsibilities to our clients and required disclosures to California consumers under the California Consumer Privacy Act of 2018

Medallia is certified under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. For more information see our Notice of Privacy Shield Certification.

About Medallia

Medallia provides SaaS and professional services to other companies (our clients) that enable them to:

  • collect customer feedback and other signals, primarily through surveys;
  • distribute the feedback and signals to employees throughout their organization; and
  • analyze the feedback and signals to drive operational changes in their business.

Medallia also provides SaaS and professional services to clients that enable them to:

  • Collect and analyze customer success data to track customer interactions, satisfaction levels, and product usage; and
  • provide personalized messaging experiences to customers.

Medallia performs these functions on behalf of our clients. Medallia is not in the business of selling or renting personal data.

How to Contact Us

Questions about Communications from Medallia’s Clients

  • For information about email survey invitations or other communications sent by Medallia on behalf of one of our clients, including opt out and data deletion requests please visit our opt-out FAQ.
  • For general support inquiries, including problems with survey completion and incorrect survey invitations, please visit our survey support portal.

Changes to our Notices

Updates to our privacy notices will be posted on our home page, sent to our clients via email, or through other appropriate channels. If you want to review our old privacy policies, click here.

Our Group Companies

Our privacy notices cover how Medallia, Inc. and its subsidiaries and affiliated entities (collectively, “Group Companies”) handle your personal data. Group Companies are Medallia, Inc., Strikedeck, Inc., Zingle, Inc., Medallia Australia Pty Ltd, Medallia Canada Inc., MEDACX, S. de R.L. de C.V. (in Mexico), Medallia S.A. (in Argentina), Medallia Limited (in the United Kingdom), Medallia France Sarl, Cooladata Ltd. (in Israel), Medallia Digital Ltd. (in Israel), and Medallia GmbH (in Germany).

For additional privacy inquiries

If you have questions about our privacy practices, you can contact us by emailing [email protected], or by writing to us at:

Privacy, Medallia, Inc.

6220 Stoneridge Mall Rd Floor 2 Pleasanton, CA 94588

Privacy, Medallia Limited

5th Floor 80 Cheapside London EC2V 6EE

 

Medallia Experience Cloud Notice

Effective Date: April 6, 2020 – Last Reviewed and Updated April 6, 2020

Introduction

This notice addresses the data Medallia collects to provide our SaaS platform and services to our clients. Clients use this platform to collect customer feedback through different channels, including surveys and integrations with other platforms. Medallia also provides reporting applications that allow our clients to view and analyze the collected feedback.

In our privacy notice, we use the following terms:

  • “Medallia Experience Cloud” refers to the SaaS platforms and related online services (such as CSM tools), as well as the accompanying professional services we provide to our clients.
  • “CSM Tools” refers to the customer success analytics platforms, such as Strikedeck, that we offer via a SaaS model.
  • “client” refers to a business to which Medallia provides the Medallia Experience Cloud, such as those listed at https://www.medallia.com/customers/;
  • “customer” refers to an individual who has had an interaction with a Medallia client and whose feedback is collected through the Medallia Experience Cloud. Customer interactions can span a wide variety, and include purchasing goods or services, contacting customer support, checking in to a hotel or property, and visiting a client’s web page or using its mobile app.
  • “respondent” refers to an individual who is prompted to provide feedback to one of Medallia’s clients through the Medallia Experience Cloud.

What Data We Collect and How We Collect It 

Medallia’s and our Clients’ Roles in Data Collection.  In providing the Medallia Experience Cloud to our clients, Medallia collects data only according to our clients’ instructions. Our clients specify what customers we should contact to provide feedback, when we should contact them (for example, after completing a purchase at a client’s retail store), how we should contact them (for example, email or SMS), how often we should send them reminders to provide feedback, and what questions are asked. Medallia’s clients also decide whether to use inbound or outbound data integrations, and how to use or respond to feedback that is collected.

Medallia enters into agreements with our clients that legally obligate Medallia to protect data we receive or are directed to collect, and use it only to provide the products and services specified by the client. Under many data protection laws, including those in Europe, Medallia is considered a “data processor” to our clients, and our clients are considered “data controllers.” As data controllers, Medallia clients are responsible for complying with laws that may require notice, disclosure or consent related to the transfer of data to Medallia or its use in the Medallia Experience Cloud.

For more information on the types of data collected by a particular Medallia client, refer to the privacy notice or communications of the Medallia client. Our clients’ privacy notices are commonly located in the Medallia survey invitation (for web-based surveys) or on the client’s web site or mobile application (for digital surveys).

Legal Basis for Processing. Medallia clients provide instructions with regard to the upload, collection, transfer, and access of personal data in the Medallia Experience Cloud. As such, Medallia clients determine the legal basis they have for data processing. Medallia clients can use legitimate interest or consent as a legal basis for processing personal data in the Medallia Experience Cloud, although others may apply. For more information, refer to the privacy notice or communications of the Medallia client.

Identity of the Data Controller. As data controllers, Medallia clients are responsible for identifying themselves, where appropriate, in communications sent by the Medallia Experience Cloud. For example, Medallia survey invitations sent by email or SMS should identify the name of the Medallia client who directs us to conduct the survey. If you are having trouble identifying the data controller associated with a particular Medallia survey, please contact Medallia survey support here.

Web-based Surveys and Chat Communications. In web-based surveys offered by the Medallia Experience Cloud, customers or employees receive a survey invitation and respond to the survey in a web interface. In addition, with the Medallia Experience Cloud’s chat communication products, clients can communicate with their customers through SMS or popular messaging applications. To send survey invitations or chat communications Medallia clients can, for example, provide the Medallia Experience Cloud with customer names, email addresses, mobile phone numbers, social messaging handle, and information about the customers’ interactions with their business (e.g., the name of the client’s store where the customer shopped or the hotel at which they are staying). In addition, Medallia clients can provide the Medallia Experience Cloud with information that segments customers into groups, such as the type of account the customer holds, the type of product or service purchased, or whether the customer is enrolled in a loyalty program.

When a respondent navigates to a Medallia web-based survey or a chat communication, Medallia collects the respondent’s IP address, the date and time the respondent accessed the survey, survey or chat responses (typically numerical scores and narrative text responses), how far the user has navigated in the survey, and the type of device and web browser the customer used to access the survey. In some surveys, clients also direct Medallia to collect the geographical location of the customer’s device that is used to access the survey.

Digital Surveys. Clients can use the Medallia Experience Cloud’s digital feedback capture tools to prompt their customers to respond to a survey within the client’s digital channels, such as a web page or mobile application. Clients can configure these surveys to:

  • prompt customers for information such as name, email, a survey score, and a narrative text response to a prompt;
  • collect analytics information (such as the customer’s IP address and type of web browser or mobile device);
  • collect customer ID (such as the login name or email the customer uses to access the client’s web site or mobile application); and
  • allow customers to take a screenshot that captures portions of the client’s web page or mobile application.

Integrations. Clients can integrate other tools, processes or platforms as inbound sources of data for the Medallia Experience Cloud, such as CRM platforms or marketing tools. For CSM Tools, Clients can integrate other tools, processes, or platforms via pre-built or custom-built data connectors. For example, data may be pulled into CSM Tools from analytics platforms, app monitoring platforms, client databases, or data warehouses. Medallia clients control what data is stored in the Medallia Experience Cloud from these integrations. For more information, refer to the privacy notice or the communications of the Medallia client.

Clients can also configure the Medallia Experience Cloud as an outbound source of data for other tools, processes, or platforms, such as collaboration tools. Clients and any third parties associated with those tools, processes, or platforms are responsible for managing personal data outside the Medallia Experience Cloud. For example, clients can configure surveys to prompt customers to write reviews on third-party websites. If a customer chooses to submit a review for publication on that third-party site, any information the customer provides on that site is governed by the privacy notice or communications of that site.

Medallia Reporting Applications. Medallia provides clients web-based and mobile applications that are used by employees of Medallia clients to review and analyze customer feedback and other data collected in the Medallia Experience Cloud (referred to as “reporting applications” in this notice). To provide their employees access to these applications, clients may send Medallia employee names, identifiers (e.g., an employee ID), job title or function, and the store or business location they are associated with.

When an employee accesses a Medallia reporting application, Medallia collects the employee’s user name, IP address of the device used to access the reporting application, geographic area associated with the IP address, type of web browser and mobile device, time and date that the reporting application was accessed, and areas of the reporting application that were visited.

Social Media Features and Widgets.  Clients can configure surveys to include social media features, such as the Facebook Like button and widgets, such as the “share this” button. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy notice or privacy-specific communications of the company providing them.

CSM Tools. Our CSM Tools, such as the Strikedeck platform, can be used by employees of Medallia clients to review and analyze customer feedback data as well as customer success data to track customer interactions, satisfaction levels, and product usage. Clients may also send surveys, alerts or other email communications directly from the CSM Tools. Medallia clients may also use data connectors to directly pull in information about their customers’ interactions with their business. In addition, clients can provide the CSM Tools with information that segments customers into groups, such as the type of account the customer holds or usage behavior, or on an individual level, such as by contact type.

Information Medallia Does Not Collect. Unless configured by a client to do so, the Medallia Experience Cloud does not collect sensitive data, such as credit card numbers or government identification numbers, nor does it collect information defined as “sensitive personal data” under EU law, such as race, sexual orientation, or union membership.

How Personal Data is Used

By Medallia and Partners. Medallia uses personal data gathered in the Medallia Experience Cloud to provide the SaaS platform and services for which the client has engaged Medallia.

These uses can include contacting a client’s customers to provide feedback for web-based and digital surveys, providing gathered feedback and assisting the customer in managing data in the Medallia Experience Cloud, and analyzing the data gathered to improve the client’s business.

Medallia Clients. Medallia clients can use personal data collected in the Medallia Experience Cloud to improve their customers’ experiences with their business. Clients can use Medallia’s reporting applications to provide customer feedback to their front line employees, as well as managers and executives. Clients can also perform analysis in customer feedback to prioritize and make operational changes to their business, and use personal data gathered in the Medallia Experience Cloud to send follow-up communications to customers.

Who Accesses Personal Data

Medallia Professional Services and Support. When a Medallia client engages Medallia’s professional services teams, Medallia professional services employees in Medallia’s Group Companies can access personal data of that client to perform work associated with tasks described above. If there is a support request, troubleshooting issue, or technical error (e.g., bug or product malfunction) that requires access to personal data, Medallia support and engineering staff in the Group Companies who are needed to address the issue will access that data.

Access to personal data stored in the Medallia Experience Cloud is provided using systems, procedures and controls approved by Medallia’s security team. Access is provided only as long as needed to perform the necessary work.

Third Party Professional Services, Servicing and Support. If permitted by a client, Medallia can use third parties to provide support for respondents and individuals who use the Medallia Experience Cloud. Medallia clients can also provide access to the Medallia Experience Cloud to third party partners to perform systems integration, consulting, market research or servicing. For examples of Medallia’s professional services partners, see https://www.medallia.com/partners/.

Medallia Clients. Medallia clients can provide their employees access to the Medallia Experience Cloud so that they can view and analyze gathered feedback. For more information, please contact the appropriate Medallia client.

Third-Party Technology Providers. Medallia transfers personal data as needed to vendors who provide our help desk ticketing software, support our technical operations (including vendors who assist us with web and mobile visitor analytics and SaaS event logging), assist with data transmission (including content delivery networks), and provide data storage. Depending on the technology integrations or features chosen by a Medallia client, we also transfer personal data of our client’s customers and respondents as needed to provide the integrations or features (including, for example, interactive voice response, SMS, machine translation, or screen capture features).

Third parties that are provided access to personal data in the Medallia Experience Cloud are evaluated by Medallia’s vendor risk management program and agree to appropriate security and data processing agreements with them.

Security.

Medallia maintains a comprehensive security program with appropriate organizational and technical security practices measures to protect data stored in the Medallia Experience Cloud. For more details, visit https://www.medallia.com/security/.

Storage Period.

The data of a Medallia client is retained in the Medallia Experience Cloud until the termination of the client’s subscription, unless earlier deleted or modified per the client’s request.

Data Subject Rights.

The Medallia Experience Cloud provides clients tools and processes for data modification, export, or deletion to address the needs of individuals in the EEA, or in other jurisdictions that provide individuals similar rights. If you are a individual who wants to modify, access, or delete personal data associated with you in the Medallia Experience Cloud, please contact the appropriate Medallia client.

Opt Out and Withdrawal of Consent.

Medallia offers its clients opt-out mechanisms to include in communications to individuals. Individuals who exercise an opt-out mechanism will be opted out of further communications for the relevant client for that communication channel.

International Data Transfer and Adequacy Laws

Personal data of data subjects can be processed by Medallia Group Companies or third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the EEA):

Disclosure of Data for Legal Obligations.

Medallia will provide data discussed in this notice to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Medallia’s legal rights, or (iiii) to protect the vital interests of our clients and their employees, customers and respondents, or those of any other person. When requested by legal authorities to disclose personal information, Medallia will inform the court of various factors justifying confidentiality and customer or respondent anonymity. Medallia will communicate with the affected client or individual as soon as possible, unless prohibited by law or court order.

Disclosure of Data for Merger, Acquisition or Sale.

If Medallia is involved in a merger, acquisition or sale of all or a portion of its assets, Medallia may transfer data discussed in this notice to the buyer or new parent company. In this circumstance, the appropriate individuals will be notified about the change in ownership and use of their personal data, as well as any choices they may have regarding personal data.

Collection of Personal Data of Minors.

Medallia clients can use the Medallia Experience Cloud to gather feedback from individuals under 16. Such clients are responsible for complying with any applicable laws that require notice, disclosure or consent to individuals under 16. For more information, refer to the privacy notice or privacy-specific communications of the Medallia client.

Complaints.

You have the right to complain to a data protection authority about our collection and use of your personal information.  For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Economic Area are available here. Contact details for the Federal Trade Commission are available here.

 

 

Website Notice

Effective Date May 30, 2018 – Last Reviewed and Updated May 30, 2018

Introduction

This notice addresses the data we collect through Medallia’s company websites, including medalliastage.wpengine.com. Medallia uses this data for marketing purposes, including contacting prospective clients and understanding the ways users interact with our website.

Identity of the Data Controller

Medallia is the data controller for the marketing and website analytics data we collect. If you have additional questions about our practices as a data controller or if you would like to issue a complaint, you may contact us at [email protected] or by mail at the following addresses:

Privacy, Medallia, Inc.
6220 Stoneridge Mall Rd Floor 2 Pleasanton, CA 94588

Privacy, Medallia Limited
5th Floor 80 Cheapside London EC2V 6EE

Marketing

What Data We Collect. Medallia collects data for its marketing efforts, including, information you voluntarily provide us, information we automatically collect from you, and information we obtain from third party sources (collectively, “Marketing Data”).

Information We Collect Voluntarily

Medallia collects information you submit through our website when signing up to receive information about our product, services, and industry, participating in our Operational Customer Experience Management Assessment (“OCEM Assessment”), or when registering for an event. The information you provide may include, for example, first and last name, email address, physical address, phone number, employer and employment title. We use this information to provide you with information that you might be interested in about our products, services and industry, share results related to your OCEM Assessment, and register you for events.

Information We Collect Automatically

In order to improve the Medallia website and understand how users are engaging with it, Medallia also collects information by using tracking technologies. This includes IP address, geolocation, time of website access, unique device ID, web browser and device information. For more information about our use of cookies and tracking technologies you may access our Cookies Notice by clicking here.

Information We Obtain from Third Party Sources

In some instances, Medallia engages with third party sources to obtain additional information about you. For example, Medallia collects business contact information from Medallia partners, industry event providers, or business intelligence providers. Information collected by business intelligence providers is publicly available and used by Medallia marketing and sales teams to determine your company’s interest in Medallia’s products and services. You may opt out of these communications at any time by clicking the “unsubscribe” link in the email correspondence or by accessing our Preference Center here.

How We Use Personal Data.

Marketing Outreach and Communication. Medallia uses Marketing Data to communicate with you for the purpose of providing you with information about Medallia products and services. We may also inform you about Medallia resources, news and updates, webinars, events, CEM certification courses, conferences, and information related to our blog. We provide this information to you via several channels, including, for example, direct mail and email communication, phone or SMS communication, event registration, onsite experience programs, ad targeting and retargeting efforts and website feedback surveys. Medallia also uses Marketing Data to understand the ways in which you access our website and to analyze trends related to usage. Medallia may analyze usage to evaluate our marketing effectiveness and retool portions of the site to provide a more convenient experience to you.

Website Feedback Survey and OCEM Assessment. We collect survey information from digital surveys embedded in our website. Medallia’s marketing team can access and use survey feedback you choose to provide to evaluate your impression of and interactions with our website, and improve your browsing experience. Our survey allows you to provide your name and email address should you be interested in signing up for an event with us, or indicate what brought you to our site, including, for example, recruitment opportunities or product demos. The survey also allows you to take a screenshot of portions of our website that you would like to provide feedback about. This survey collects analytics information such as your IP address and type of web browser or mobile device used in accessing our site. We also allow you to engage with our OCEM Assessment to assess your customer experience preparedness. Our marketing and sales teams collect OCEM Assessment responses to refine our communication with prospective customers. We also use this information to help customers further define their customer experience goals. You may provide additional information within the OCEM Assessment, including, for example, name, email address, employer and title. We use this information to contact you about your OCEM Assessment results and Medallia products and services.

Legal Basis for Processing. In all instances, Medallia processes Marketing Data only to the extent that it has a legal basis to do so. Generally, we rely on either a legitimate interest or consent to process Marketing Data. For more information about the legal basis for each of our processing activities contact [email protected].

Who Accesses Personal Data.

Medallia Marketing and Sales Professionals. Medallia marketing and sales teams in Medallia’s Group Companies can access Marketing Data for the purposes described above.

Third-Party Service Providers. Medallia may share
Marketing Data with third parties to (1) facilitate our communication with you; (2) providing analytics of Marketing Data and support Marketing operations; (3) assist with event registration; (4) tailor your advertisement experience. Service providers that are provided access to Marketing Data are evaluated by our vendor risk management program and agree to appropriate security and privacy safeguards when accessing or storing Marketing Data. Service providers are required to enter into data processing agreements with Medallia. The majority of service providers are located in the United States, with some providers located internationally.

Medallia also uses web analytics services, which include Google Analytics. Google Analytics is a web analytics service provided by Google Inc. (“Google”). Google Analytics uses cookies and similar technologies to analyze how users use our website. The information generated about usage (including your shortened IP address) is transmitted to Google. This information is used to evaluate visitors’ use of the Medallia website, compile statistical reports on Medallia website activity, and provide other services related to the Medallia website. Google may also collect information about our visitors’ use of other websites. You may opt out of Google Analytics or access additional information about the service by clicking here.

Security. We maintain a comprehensive security program with appropriate organizational and technical security practices measures to protect data we collect. For more details, visit https://www.medallia.com/security/.

Storage Period. Medallia maintains Marketing Data for the period of time necessary to carry out our legitimate business interests. For information about specific retention periods, please contact us at [email protected].

Data Subject Access Requests. If you are a resident of the EEA you have the following data protection rights:

  • If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting us at [email protected].
  • You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
  • If we have collected and process your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of your personal information. Contact details for data protection authorities in the EEA are available here.

Opt Out and Preference Center. Medallia offers opt-out mechanisms for marketing communications. If you exercise your right to opt out of marketing communications, you will be added to Medallia’s opt-out list as required by applicable law. Medallia does not send marketing communications to any e-mail address on the applicable opt-out list. If you wish to withdraw your consent from receiving marketing communication, you may opt out from receiving marketing communications by accessing our Preference Center here or by clicking the “unsubscribe” link at the bottom of our communication with you. In the Preference Center, you may also tailor the type of information we provide you.

International Data Transfer and Adequacy Laws

Marketing Data is processed by Medallia Group Companies and third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the EU):

Disclosure of Data for Legal Obligations. Medallia will provide data discussed in this notice to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Medallia’s legal rights, or (iii) to protect the vital interests of our clients and their employees and respondents, or those of any other person. When requested by legal authorities to disclose personal information, Medallia will inform the court of various factors justifying confidentiality and respondent anonymity. Medallia will communicate with the affected client or individual as soon as possible, unless prohibited by law or court order.

Disclosure of Data for Merger, Acquisition or Sale. If Medallia is involved in a merger, acquisition or sale of all or a portion of its assets, Medallia may transfer data discussed in this notice to the buyer or new parent company. In this circumstance, the appropriate individuals will be notified about the change in ownership and use of their personal data, as well as any choices they may have regarding personal data.

Collection of Personal Data of Minors. Medallia’s website is directed to people who are at least 16 years of age or older. In the event that we have inadvertently collected data of an individual who is younger than 16, we will remove this data from our system within a reasonable time period. To make such a request, please contact [email protected].

Privacy Contact. If you have any questions or comments about this privacy notice or the practices of this site, or unresolved privacy and data use concerns, please contact Medallia by e-mailing [email protected], faxing (650) 321-3156, calling (650) 321-3000, or writing Attention: Privacy, Medallia, Inc., 6220 Stoneridge Mall Rd Floor 2 Pleasanton, CA 94588. Medallia responds to non-frivolous privacy-related requests in a timely fashion, not to exceed ten (10) business days.

 

Recruitment Notice

Effective Date May 30, 2018 – Last Reviewed and Updated May 30, 2018

Introduction

This notice addresses the data we collect through during the Medallia job application process. Medallia uses this data for recruitment purposes, including contacting potential job candidates, enhancing the job application process, and assisting with the interview experience.

Recruitment

What Data We Collect. Medallia collects data for its recruitment efforts, including, information you voluntarily provide us and information that we obtain from third party sources (collectively, “Candidate Data”).

Information We Collect Voluntarily. When a candidate submits an application for employment, Medallia may collect personal information, such as personal data contained within a resume or curriculum vitae (including names, contact details, employment and education history), and, when applicable, Equal Employment Opportunity information that may be regarded as sensitive information in some countries (e.g., gender, ethnicity, disability status, veteran status).

Information We Obtain from Third Party Sources. In some instances, Medallia engages with third party sources to obtain additional information about you. For example, Medallia collects contact information from professional network intelligence companies or industry event providers. Information collected by professional network intelligence companies is publicly available and used by Medallia’s talent acquisition team to determine your company’s interest in employment with Medallia.

How We Use Personal Data.

Medallia uses Candidate Data to communicate with you for the purpose of providing you with information about Medallia career opportunities. Medallia also uses Candidate Data to process applications for employment, assist with the interview experience and, in some cases, supplement the employment onboarding process. Medallia may use aggregate Candidate Data to track its diversity and inclusion efforts to meet its applicable legal requirements.

Legal Basis for Processing. In all instances, Medallia processes Candidate Data only to the extent that it has a legal basis to do so. Generally, we rely on either a legitimate interest or consent to process Marketing Data. For more information about the legal basis for each of our processing activities contact [email protected].

Who Accesses Personal Data.

Medallia Teams. Medallia talent acquisition, human resources, and hiring teams in Medallia’s Group Companies can access Candidate Data for the purposes described above.

Third-Party Service Providers. Medallia may share your information with third parties to (1) facilitate the hiring process; (2) if applicable, conduct background checks; (3) host your data in a centralized location; (4) track diversity and inclusion efforts. Service providers that are provided access to Candidate Data are evaluated by our vendor risk management program and agree to appropriate security and privacy safeguards when accessing or storing our Candidate Data. Service providers are required to enter into data processing agreements with Medallia. The majority of our service providers are located in the United States, with some providers located internationally.

Security. We maintain a comprehensive security program with appropriate organizational and technical security practices measures to protect data we collect. For more details, visit https://www.medallia.com/security/.

Storage Period. Medallia maintains Candidate Data for the period of time necessary to carry out our legitimate business interests. For information about specific retention periods, please contact us at [email protected]

Data Subject Access Requests. If you are a resident of the EEA you have the following data protection rights:

  • If you wish to access, correct, update or request deletion of your Personal Information, you can do so at any time by contacting us at [email protected].
  • You can object to processing of your Personal Information, ask us to restrict processing of your Personal Information or request portability of your Personal Information.
  • If we have collected and process your Personal Information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your Personal Information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of your Personal Information. Contact details for data protection authorities in the EEA are available here.

Opt Out. When you apply for a job with us, Medallia provides you with the opportunity to receive regular correspondence from us about career opportunities that we believe you might be interested in. From time to time, we may confirm that we may still contact you for these purposes. You may request to opt out from these email communications at any time. If you have any additional questions or concerns about this correspondence, please contact [email protected].

International Data Transfer and Adequacy Laws

Marketing Data is processed by Medallia Group Companies and third parties in countries that have data protection laws different from those applicable to the data subjects. To satisfy adequacy requirements related to this international data transfer (such as those in the EU), Medallia signs data processing agreements with our vendors and clients that have robust privacy and security terms, including, where appropriate, the Standard Contractual Clauses.

Disclosure of Data for Legal Obligations. Medallia will provide data discussed in this notice to any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend Medallia’s legal rights, or (iii) to protect the vital interests of our clients and their employees and respondents, or those of any other person. When requested by legal authorities to disclose personal information, Medallia will inform the court of various factors justifying confidentiality and respondent anonymity. Medallia will communicate with the affected individual as soon as possible, unless prohibited by law or court order.

Disclosure of Data for Merger, Acquisition or Sale. If Medallia is involved in a merger, acquisition or sale of all or a portion of its assets, Medallia may transfer data discussed in this notice to the buyer or new parent company. In this circumstance, the appropriate individuals will be notified about the change in ownership and use of their personal data, as well as any choices they may have regarding personal data.

Collection of Personal Data of Minors. Medallia’s website and recruiting efforts are directed to people who are at least 16 years of age or older. In the event that we have inadvertently collected data of an individual who is younger than 16, we will remove this data from our system within a reasonable time period. To make such a request, please contact [email protected].

Privacy Contact. If you have any questions or comments about this privacy notice or the practices of this site, or unresolved privacy and data use concerns, please contact Medallia by e-mailing [email protected], faxing (650) 321-3156, calling (650) 321-3000, or writing Attention: Privacy, Medallia, Inc., 6220 Stoneridge Mall Rd Floor 2 Pleasanton, CA 94588. Medallia responds to non-frivolous privacy-related requests in a timely fashion, not to exceed ten (10) business days.

 

Cookies Notice

EFFECTIVE DATE APRIL 30, 2019 – LAST REVIEWED AND UPDATED APRIL 30, 2019

Medallia uses cookies on our corporate websites and in the Medallia Experience Cloud.

In our cookies notice, we use the following terms:

  • “Medallia Experience Cloud” refers to the SaaS platform and provision of professional services we provide to our clients.
  • “respondent” refers to an individual who is prompted to provide feedback to one of Medallia’s clients through the Medallia Experience Cloud.

What is a Cookie?

A cookie is a text file which can be sent from a website and stored in a user’s web browser while a user is browsing that website. When the user browses the same website or another website that recognizes that cookie in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user’s previous activity.

Cookies fulfill many different tasks, as for example letting you navigate between pages efficiently or remembering your preferences. They can also help to ensure that online-advertisements are more relevant to you with regard to your interests.

Medallia Corporate Websites

Cookies are placed on the computer of a visitor to Medallia’s corporate websites. These cookies enhance the visitor’s experience on these websites, for example to complete forms, identify returning visitors and offer related content. Cookies are also used in combination with beacons, tags and scripts on our website by Medallia and its partners to facilitate our communication with site visitors, support marketing operations and targeted advertising, tailor a visitor’s advertisement experience, analyze trends, administer the site, or understand how visitors engage with Medallia’s corporate websites.

As is true of most websites, Medallia gathers certain information automatically from visitors and store it in log files. When you visit Medallia’s website, we collect internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data.

In order to improve services we offer you, to improve marketing, analytics, or site functionality, we may combine this automatically collected log information with Marketing Data.

Cookies, beacons, tags and scripts are used by Medallia and our partners (e.g., marketing partners), affiliates, or analytics or service providers on our website. These technologies are used by Medallia’s marketing team in facilitating our communication with site visitors, supporting marketing operations, tailoring a visitor’s advertisement experience, analyzing trends, administering the site, or tracking users’ movements around the site. We receive reports based on the use of these technologies by these companies.

Categories of Cookies and Management Settings

The following describes the categories of cookies Medallia uses on our corporate websites and your options for managing them:

 

Category Description Managing Settings
Required cookies These cookies are essential for operating Medallia’s corporate websites. They assist in the display and navigation of the site, and provide security. Because required cookies are essential to the operation of our corporate website, the ability to opt out of these cookies is limited. Management of these cookies may be enabled on your browser via individual browser settings.
Functional cookies These cookies allow Medallia to remember the information you have entered or choices you have made when you visit our corporate websites, and are used to provide personalized features, such as remembering your preferences for displaying video content. You can manage the placement of functional cookies on your browser via your individual browser settings. Opting out of functional cookies may impact the functionality of Medallia’s corporate websites and degrade your experience. You can visit http://www.aboutcookies.org for detailed guidance.
Performance and analytics cookies These cookies record information about your visit to our corporate websites (such as which portions of the website you have visited and how fast pages have loaded). Medallia uses this information to improve how our corporate websites function. You can manage the placement of these cookies the same as functional cookies. You can visit http://www.aboutcookies.org for detailed guidance.
Advertising cookies Medallia uses cookies on our corporate website to show you relevant advertising outside of our site. Cookies may also be used to learn whether a visitor to our corporate website later saw an ad and took an action (e.g., downloaded a white paper) from our site.

Our partners may use a cookie to determine whether we’ve shown an ad to you outside of Medallia’s corporate website and how it performed, or provide us with information about how you interacted with ads. We may also work with partners to show you an ad off of our corporate website.

 See the cookie table below for our corporate website to learn more about how to opt out of data collection by third party advertising networks.

 

The cookie tables below list some of the cookies used on our corporate website, and opt-out information (if applicable).

 

Cookie Host Type Description and Opt-out Information (if applicable)
BIG IP Required Server and session management
CloudFlare Required Cache and security
Adobe TypeKit Required Website design features
Vimeo Functionality Integration of video content
Google Analytics, Hotjar, New Relic Performance and analytics Analyzes when sections of the Medallia website are visited, server performance monitoring

Opt-out tools and information are available at:
LinkedIn, Bidr.io/Beeswax, DemandBase, DoubleClick, Facebook, LiveRamp, Inc., Twitter Advertising Advertising cookies Ad targeting

Opt out tools and information is available at:

 

Medallia Experience Cloud

Cookies are placed on a respondent’s computer when they visit web-based surveys navigated to from an invitation sent by the Medallia Experience Cloud, when a respondent visits the domain of one of our clients that has enabled Medallia’s digital surveys, or when an employee of a Medallia client logs on to a reporting application. These cookies enable Medallia to remember a user’s preferences (such as language), ensure the security and integrity of client data, improve our products, and personalize a respondent’s survey experience. In addition, these cookies enable a Medallia client to identify a user across different browsers or devices that access a client’s web domain, record information about the browsing session on the domain, and to customize surveys presented to the user on that domain based on that information and additional rules.

The Medallia Experience Cloud does not place cookies on a user’s computer for advertising purposes.

Categories of Cookies and Management Settings

The following describes the categories of cookies used by the Medallia Experience Cloud and your options for managing them:

 

Category Description Managing Settings
Required cookies These cookies are essential for operating the Medallia Experience Cloud. They assist in navigation of surveys and reporting applications, ensure the security and integrity of Medallia’s and its clients’ data, and provide access to restricted content. Because required cookies are essential to the operation of the Medallia Experience Cloud, the ability to opt out of these cookies is limited. Management of these cookies may be enabled on your browser via individual browser settings.
Functional cookies These cookies allow Medallia to remember a user’s information or choices, and provide personalized features (such as the choice of language in a survey). You can manage the placement of functional cookies on your browser via your individual browser settings. Opting out of functional cookies may impact the functionality of Medallia’s surveys or reporting application and degrade your experience. You can visit http://www.aboutcookies.org for detailed guidance.
Performance and analytics cookies These cookies record information about the use of a survey or reporting application (such as how fast a survey loads or which modules within a reporting application a user interacts with). Medallia uses this information to improve how the surveys and reporting applications function. Medallia’s clients also use information collected from these cookies to improve a respondent’s survey experience (such as causing a survey on their domain to be presented only when certain conditions are met). You can manage the placement of these cookies the same as functional cookies. You can visit http://www.aboutcookies.org for detailed guidance.

 

The cookie tables below list some of the cookies used by the Medallia Experience Cloud, and opt-out information (if applicable).

Web-based surveys

Cookie Name(s) Cookie Host Type Description and Management Settings (if applicable)
sessionID Medallia Required Prevents repeated use of temporary survey URLs
JSESSIONID Medallia Required Enables survey navigation
feedless-XXXXXX Medallia Required Ensures that unique survey ballots are used in anonymous surveys
NSC_tvswfz.nfebmmjb.dpn Medallia Required Enables load balancing
loginLanguage Medallia Functional Records a respondent’s preferred survey language (if enabled by the Medallia client)
consent.$XXXXXX Medallia Functional Records whether respondent has accepted cookie terms and conditions (if enabled by the Medallia client)
ADRUM AppDynamics Performance and analytics Records analytics regarding page load time.

 

Digital surveys

 

Cookie Name(s) Cookie Host Type Description and Management Settings (if applicable)
backendDataInSessionFlag Medallia Performance and analytics A boolean flag that indicates whether to retrieve user information for custom survey rules in the current session.
LAST_INVITATION_VIEW, DECLINED_DATE, kampyleInvitePresented, Medallia Performance and analytics Records information about when surveys are presented and declined. Used for analytics and to customize frequency of survey presentation.
kampylePageLoadedTimestamp, kampyleSessionPageCounter, kampyleUserSession, kampyleUserSessionsCount Medallia Performance and analytics Records information about the visitor’s session on the Medallia client’s domain, such as the number of pages a respondent has visited in their session. Used for analytics and to customize frequency of survey presentation.
kampyle_userid Medallia Performance and analytics Records a randomly generated user ID for analytics and to customize frequency of survey presentation.
kampyleUserPercentile Medallia Performance and analytics Records a randomly generated number used to present a survey to a percentage of users. Used to customize frequency of survey presentation.

 

Reporting applications

 

Cookie Name(s) Cookie Host Type Description and Management Settings (if applicable)
CloudFront-Key-Pair-Id, CloudFront-Policy, CloudFront-Signature CloudFront Required Restricts access to confidential content.
JSESSIONID Medallia Required Enables survey navigation.
SERVERID Medallia Required Enables load balancing
loginLanguage Medallia Functional Records a user’s preferred survey language (if enabled by the Medallia client).
svs Medallia Functional Records user’s preferred view for certain modules.
ADRUM AppDynamics Performance and analytics Records analytics regarding page load time.

 

California Consumer Privacy Act Notice

Effective Date January 1, 2020 – Last Reviewed and Updated December 9, 2019

Introduction

This notice addresses Medallia’s responsibilities to our clients and required disclosures to California consumers under the California Consumer Privacy Act of 2018, or CCPA. This notice supplements our Medallia Experience Cloud Notice and our Website Notice.

In this notice, we use the following terms:

  • “client” refers to a business to which Medallia provides its services and SaaS platform, such as those listed at https://www.medallia.com/customers;
  • “business,” “business purpose,” “consumer,” “commercial purpose,” “personal information,” “sale” or “selling,” and “service provider” refer to the definitions in the CCPA;
  • “Marketing Data” is defined in the Website Notice, which can be accessed from the navigation pane of www.medallia.com/privacy-policy;
  • “Medallia Experience Cloud” refers to the SaaS platform and provision of professional services we provide to our clients; and
  • “respondent” refers to an individual who is prompted to provide a response to one of Medallia’s clients through the Medallia Experience Cloud.

 

Medallia’s activity related to the CCPA

For the purposes of this notice, Medallia has two areas of activity that are related to the CCPA.

First, Medallia collects data from consumers in the course of providing a software platform called the Medallia Experience Cloud to its clients. In this activity, Medallia acts strictly as a “service provider” to our clients under the CCPA, and our clients are “businesses”.

In the Medallia Experience Cloud, Medallia collects customer data based on our clients’ instructions. For example, our clients specify what consumers we should contact to provide feedback, when we should contact them (e.g., after completing a purchase at a client’s retail store), how we should contact them (e.g., email or SMS), how often we should send them reminders to provide a response, and what questions are asked. Medallia’s clients also decide how to use or respond to feedback that is collected.

Second, Medallia collects data from consumers in the course of its marketing efforts. This includes information we collect voluntarily from forms on our website and event registrations, information we collect automatically when you visit our website, and information we obtain from third party sources. In this activity, Medallia acts as a “business” under the CCPA.

 

Medallia’s handling of personal information under the CCPA

Regardless of which area of activity applies to you, Medallia does not sell your personal information.

To be clear, in the previous 12 months we have not sold, rented, released, disclosed, disseminated, made available, transferred, or otherwise communicated a consumer’s personal information to another business or third party for monetary or other valuable consideration. If that changes, we will update this notice.

Further, when we provide the Medallia Experience Cloud to our clients, we do not:

  • process personal information for any commercial purpose other than providing our clients the products and services they have purchased; or
  • retain, use or disclose personal information outside of the scope of the agreements we have with our clients.

 

Personal information collected and disclosures for business purposes

The CCPA requires that we disclose the categories of personal information we collect about consumers, and the categories of personal information we disclose for a business purpose.

The chart below details where you find information about the categories of personal information that Medallia has collected in the previous 12 months for each activity related to the CCPA.

 

Activity Where you can find information
Providing the Medallia Experience Cloud to Medallia clients as a “service provider”. The categories of personal information Medallia collects about consumers vary depending on our clients’ implementation and use of our software.

For a generalized description of these categories, see the section of the Medallia Experience Cloud Privacy Notice titled “What Data We Collect and How We Collect It”. This notice can be accessed from the navigation pane of www.medallia.com/privacy-policy.

For more information on the types of data collected by a particular Medallia client, refer to the privacy notice or communications of the Medallia client.

Our clients’ privacy notices are commonly located in the Medallia survey invitation (for web-based surveys) or on the client’s web site or mobile application (for digital surveys).
Carrying out Medallia’s marketing efforts as a “business”. See the section of our Website Privacy Notice titled “What Data We Collect”.

 

The chart below details where you can find information about the categories of information we disclose for a business purpose in the previous 12 months.

 

Activity Where you can find information
Providing the Medallia Experience Cloud to Medallia clients as a “service provider”. The categories of personal information Medallia discloses for a business purpose vary depending on the features of our software our clients use, and the servicing and support they have purchased.

For a generalized description of these disclosures, see the section of the Medallia Experience Cloud Privacy Notice titled “Who Accesses Personal Data”. This notice can be accessed from the navigation pane of www.medallia.com/privacy-policy.

For more information on the disclosures made a particular Medallia client, refer to the privacy notice or communications of the Medallia client.

Our clients’ privacy notices are commonly located in the Medallia survey invitation (for web-based surveys) or on the client’s web site or mobile application (for digital surveys).
Carrying out Medallia’s marketing efforts as a “business”. See the section of our Website Privacy Notice titled “Who Accesses Personal Data”.

 

Consumer rights under the CCPA

Your rights under the CCPA include the right to request a copy of the specific personal information collected about you in the 12 months prior to the request, and a business’s data collection practices (including categories of information collected, how information is used, and who it is disclosed to). We will generally refer to these as “access requests”.

In addition, with some exceptions, you can request deletion of the personal information that is collected about you. We will generally refer to these as “deletion requests”.

With respect to personal data of consumers collected in the Medallia Experience Cloud, Medallia’s clients are responsible for fulfilling access and deletion requests. Medallia supports these requests by offering our clients product features, processes and assistance in exporting personal information about individuals. These product features and processes complete the data deletion within 30 days of receiving the request from our client.

With respect to the personal data of consumers collected in Medallia’s marketing efforts, we are responsible for fulfilling access and deletion requests.

The chart below details how you can exercise your rights under the CCPA.

 

Activity How to exercise your access and deletion rights
Providing the Medallia Experience Cloud to Medallia clients as a “service provider”. Please contact the Medallia client identified in the communication you received.

Contact information is commonly located within the communication or in a privacy policy linked from the communication.
Carrying out Medallia’s marketing efforts as a “business”. Please submit a request to [email protected].

In the request, please be as specific as possible in relation to the personal information you wish to access or delete. Once we receive the request, we will review it, and process the request accordingly. If we need additional information to verify your identity, we will let you know.

Any identifying information in such requests will be used solely for verification, and to communicate with you. We will respond to the request within 45 days of receipt, or notify you if you require additional time.