Privacy policy

This is the privacy policy of the Optimizely group of companies (Optimizely, we, our or us) which comprises Episerver AB, Optimizely Inc., Episerver Inc., Episerver GmbH, Zaius, Inc. and our other subsidiaries and associated companies from time to time.

Optimizely takes your privacy seriously and is committed to protecting your privacy rights. We want you to know why we collect your personal information, what we collect, how we use it, and for how long we store it. We also want you to know how you can access, amend, correct, and in some cases delete your personal information.

This privacy policy explains the information we collect through the Optimizely websites, including www.optimizely.com and world.optimizely.com as well as through other Optimizely managed websites or pages where this privacy policy is posted or linked (our Websites). This privacy policy also describes the personal information collected from or on behalf of end users of our services and software-as-a-service products (our Products and Services).

The Appendix to this privacy policy contains specific provisions that supplement this privacy policy to meet the requirements of specific data protection and privacy laws where they apply.

What personal information we collect

In general terms, personal data, personal information or personally identifiable information are terms used to mean any information about an individual from which that person can be identified. Throughout this privacy policy, we refer to this kind of information as personal information. Where the identity of a person has been removed (by anonymization), then this is not personal information. We call this anonymized information.

We collect both personal information and anonymized information. We may use both personal information and anonymized information to create aggregated information such as statistical or demographic data, which we may use for any purpose.

In general terms, the types of personal information we collect include:

  • General Information: first name and surname, username and password, email address, contact information, country of residence, job title, physical address and other information you provide us when you create an account or interact with us.
  • Transaction and Payment Information: information that may relate to transactions you may carry out with us, including bank account details and other relevant payment information.
  • Identity Information: information that we may require to establish your identity. This may include your title, first name and surname, preferred name, photographic images, residential address and any additional names.
  • Usage Information: information about how you use our Websites and our Products and Services including viewing, logs, metrics and other device and technical data and support tickets. This may include information such as your web request, Internet Protocol (“IP”) address, device identifiers, device information (such as OS type or browser type), cookie IDs, referring / exit pages and URLs, interaction information (such as clickstream data), domain names, pages viewed, crash data, and other similar technical data.
  • Location Information: location information either provided by a mobile device interacting with one of our Websites or applications or associated with your IP address when you visit our Websites or use our Products and Services.
  • Public/Third Party Information: information from third party or public sources or that we receive from companies that partner with us to provide our Products and Services.
  • User Generated Information: content and information that you submit when using the Websites or our Products and Services, including, for example, information you provide in any blogs or forums on the Websites, comments you add on our Products and Services, information you provide when you participate in any interactive features or surveys, and information you submit when filing a support ticket.
  • Consents and Preferences Information: details of permissions consents and preferences that you give us.

Where we need to collect personal information by law, or under the terms of a contract we have with you, and you fail to provide that personal information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with Products and Services). In this case, we may have to cancel the Products and Services you have with us, but we will notify you if this is the case at the time.

Optimizely and our customers – our role as a processor

  • Our Products and Services allow our customers to build websites, ecommerce sites, and manage marketing campaigns, and they may be used by them to collect personal information.
  • We do not control the content of these webpages, emails or other messages, or the types of personal information that our customers may choose to collect or manage using our Products and Services.
  • In these cases, it is our customers that control the processing of personal information, and we act on their behalf as a processor by collecting information under the direction of our customers and we have no direct relationship with those individuals whose personal information we process. The terms of our processing activities are regulated by a data protection agreement entered into between us and our customer. If you have a question about how your personal information is processed by one of our customers or have any other requests relating to that personal information, please contact the relevant customer as the owner of the website or sender of the communication.
  • Personal information that is collected using our Products and Services on behalf of our customers belongs to them and is used, disclosed and protected by them according to their privacy policies and policies and is not subject to this privacy policy.

Why we collect personal information

The purposes for which we use personal information depend on the relationship we have with you.

Products and Services End-Users

Purpose

Type of personal information

To provide you with information you ask for including:

  • Following up with you on the resolution of issues, including to provide support.
  • Responding to your requests, questions and issues.
  • General Information
  • Identity Information
  • Usage Information
  • User-Generated Information

To be able to process any order you place, to deliver our Products and Services including:

  • Sending you important operational information.
  • Complying with our contractual obligations to you in relation to the Products and Services.
  • Managing our relationship with you, which will include notifying you about changes to this privacy policy and the terms and conditions of our Websites.
  • General Information
  • Transactions and Payment Information
  • Identity Information
  • Consents and Preferences Information

To process financial transactions including for our legal and regulatory reasons.

  • General Information
  • Transactions and Payment Information
  • Identity Information

 

To operate, maintain, analyze, develop, update and improve our Products and Services including determining how to improve them and also to analyze trends and gather Aggregated Information about our user base to better tailor our marketing efforts, including soliciting for reviews of our Products and Services, which may be administered through partners and/or third parties.

  • Usage Information
  • Location information
  • Public / Third Party Information
  • Consents and Preferences Information

To prevent and detect crime, fraud and corruption.

  • General Information
  • Transaction and Payment Information
  • Identity Information
  • Usage Information
  • Location Information
  • Public/ Third Party Information
  • User Generated Information
  • Consents and Preferences Information

Website Users

Purpose

Type of personal information

To provide you with information you may ask for.

  • General Information
  • Identity Information

 

To allow you and us to publish any comments or any user generated content that you may post to our Websites (such as on Optimizely World).

  • General Information
  • Identity Information
  • User Generated Information

 

For our advertising partners to deliver interest-based advertising on our behalf.

  • General Information
  • User Generated Information
  • Usage Information
  • Consents and Preferences Information

 

Personalizing your experience whilst visiting our Websites including:

  • Allowing us to understand the effectiveness of our Websites.
  • Allowing us to better understand your needs.
  • General information
  • Usage Information
  • Location Information
  • User Generated Information
  • Consents and Preferences Information

 

To prevent spam and fraudulent input.

  • General Information
  • Identity Information
  • Usage Information
  • Location Information
  • Usage Generated Information

Representatives of Corporate Customers and Partners or a Third Party Business

Purpose

Type of personal information

To provide you with information you ask for including:

  • Following-up with you on the resolution of issues, including to provide support.
  • Responding to your requests, questions and issues.

 

  • General Information
  • Identity Information
  • Usage Information
  • User Generated Information

To follow-up on our marketing content to evaluate its effectiveness for marketing purposes including where you have requested information about a marketing asset.

 

  • Usage Information
  • Location information
  • Public/ Third Party Information
  • Consents and Preferences Information

To be able to process any order you place, to deliver our Products and Services including:

  • Sending you important operational information.
  • Complying with our contractual obligations to you in relation to the Products and Services.
  • Managing our relationship with you, which will include notifying you about changes to this privacy policy and the terms and conditions of our Websites.
  • Sending you information that is relevant to your use of the Products and Services.
  • General Information
  • Transactions and Payment Information
  • Identity Information
  • Consents and Preferences Information

To enable you to resell and provide our Products and Services, which includes fulfilling our contractual obligations to you as a partner.

 

  • General Information
  • Transaction and Payment Information

To verify your email address to prevent spam and misuse.

  • General Information
  • Transaction and Payment Information
  • Identity Information
  • Usage Information
  • Location Information
  • Public/ Third Party Information
  • User Generated Information
  • Consents and Preferences Information

Event Participants

Purpose

Type of personal information

When you register for an Optimizely event which includes managing and following up on the event.

  • General Information
  • Identity Information
  • Consents and Preferences Information

 

When you participate at an Optimizely event which includes:

  • For managing and following up on the event.
  • Allowing you to subscribe to our newsletter or other marketing communications.
  • To enter a competition or game.
  • General Information
  • Identity Information
  • Consents and Preferences Information

Where we obtain personal information from

We use different methods to collect personal information from and about you including through:

  • Direct interactions. You may give us your personal information by submitting information to us, filling in forms on our Websites or by corresponding with us by post, phone, email or otherwise. This includes when you:
    • apply for or enquire about our Products and Services – as a customer, potential
    • customer or reseller;
    • create an account on our Websites;
    • request support for our Products and Services;
    • subscribe to our publications;
    • request marketing to be sent to you;
    • register for an event;
    • participate at an event;
    • enter a competition, promotion or survey; or
    • give us feedback or contact us.
  • Automated technologies or interactions. As you interact with our Websites and through your use of our Products and Services, we will automatically collect personal information relating to your equipment, browsing actions and patterns. For example, this includes when we collect the URLs of any pages viewed or links clicked on our Websites and connect them to your profile. We collect this personal information by using cookies, server logs and other similar technologies. Please see our Cookies Policy for further details.
  • Third parties or publicly available sources. We will receive personal information about you from various third parties and public sources as set out below:
    • analytics providers such as Google;
    • advertising networks;
    • search information providers;
    • providers of technical, payment and delivery services;
    • data brokers or aggregators; and
    • publicly available sources.

Data sharing

Data sharing within Optimizely

  • We may share personal information within Optimizely to deliver Products and Services to our customers.
  • Optimizely has employees and offices globally. This means that we may transfer information globally. Outside of the EU, we have offices in, for example, United States, Vietnam, Norway, Australia, and South Africa, but Optimizely employees or sub-processors may access the information from other countries, subject to any controls that may have been put in place to restrict access to personal information in the form of geofencing controls.

Data sharing with those who support our Products and Services

  • In order to deliver our Products and Services, we rely on a number of different systems, platforms and services, some of which are provided by members of the Optimizely group of companies and some of which are provided by third party vendors and service providers. This covers everything from the software we use in our finance department to the infrastructure we use to run our Products and Services, including when you participate in a free trial. Where we use vendors and service providers, they act as processors on our behalf. These vendors are under a data processing agreement with us, act on our instructions and adhere to the policies described in this document.
  • Third party vendors that we use in order to provide support for our services include:
    • Salesforce – https://www.salesforce.com/
    • Zendesk – https://www.zendesk.com/
    • Chartio (an Atlassian company) – https://chartio.com/
    • Heroku (a Salesforce company) – https://www.heroku.com/
    • Segment.io, Inc. – https://segment.com/
    • New Relic – https://newrelic.com/
    • Looker (a Google company) – https://looker.com/
    • Amplitude – https://amplitude.com/
    • Slack – https://slack.com/
    • Marketo – https://www.marketo.com/
    • Atlassian – https://www.atlassian.com/
    • Okta – https://www.okta.com/
    • Gainsight – https://www.gainsight.com/
    • Mailchimp – https://mailchimp.com/
    • Virtua – https://virtua.tech/
    • Aha, Inc. – https://www.aha.io/
    • Chargebee – https://www.chargebee.com/
    • LaunchDarkly – https://launchdarkly.com/
    • Intercom – https://www.intercom.com/
    • Fullstory – https://www.fullstory.com/
    • JIRA – https://www.atlassian.com/software/jira
    • Netsuite – https://www.netsuite.com/
    • OneTrust – https://www.onetrust.com/
    • 6sense – https://6sense.com/
    • Litmos – https://www.litmos.com/
    • Drift – https://www.drift.com/
    • G2 – https://www.g2.com/
    • Trust Radius – https://www.trustradius.com/

Data sharing with other third parties

  • We never sell or rent your personal information to third parties.
  • If you are an individual based in the EEA and have given us your express permission, we may share your personal information with select partners that you decide. If you are an individual not based in the EEA, we may share your personal information with select partners that are clearly labelled when you sign up. We always make clear when we share that information – as an example when we provide an event or an asset in collaboration with a partner of ours.

Protection of your personal information

  • We take care to protect your personal information against abuse or loss. As an example, we store personal information in secure environments. We also provide training to our employees on data protection best practices and require them to enter into a confidentiality agreement.
  • We cannot guarantee absolute security though. If you would like to learn more about what we do to protect your personal information, please contact us at [email protected].
  • We hold our vendors and service providers to the same high privacy standards as we hold ourselves. In all cases where we share your personal information with anyone outside of Optimizely, we explicitly require them to acknowledge and adhere to our privacy and customer data handling policies through a data processing agreement.

Children’s Privacy

  • Protecting the privacy of young children is especially important. For that reason, Optimizely does not knowingly collect or solicit personal information from anyone under the age of 13. In the event that we learn that we have collected personal information from a child under age 13, we will delete the information we have stored as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us as indicated in the contact section below.

How long we keep personal information

Generally

  • In general terms, we keep your personal information for as long as it is warranted to fulfil our commitments to you and to adhere to legal or regulatory requirements.
  • If you are a customer, partner or someone else with whom we deal, we keep the personal information as a minimum for the duration of our relationship. Certain personal information may be kept for longer though, for example, to ensure that we have an accurate record of your dealings with us in the event of any complaints or challenges; or if we reasonably believe there is a prospect of litigation relating to your relationship with us.
  • If you have requested to receive marketing communications, we will keep your personal information only for as long as you wish to receive those communications.

If you are an Optimizely customer or partner (or prospective customer or partner)

  • If you are an Optimizely customer or partner, we may keep your personal information for the duration of our contract between your organization and us. If not required by law or regulation to keep your information beyond that term, we will remove it within 12 months of the contract ending.
  • If you have signed or entered into a contract with us, we typically archive and store that contract for an extended period of time, typically seven years or longer, depending on jurisdiction. Other items such as invoices may also be kept for longer than 12 months.
  • If you have been in touch with us with a question, demo request, asked for a quote, or have engaged with a sales representative, your information will be stored for up to 12 months after the last recorded activity, and will then be removed or anonymized.
  • If you are a prospective Optimizely partner, we may keep your personal information for so long as you are active as a prospect or until you tell us you do not wish to become an Optimizely partner.
  • If you have asked to receive one of our newsletters or other marketing communications from us, we will keep your personal information to maintain your subscription, even if you would no longer be a customer or partner of ours.
  • If you have signed up to take part in our developer community or discussion forums, your personal information will be retained indefinitely unless you explicitly tell us to remove it.

If you are not an Optimizely customer or partner

  • If you have opted into any of our content marketing initiatives or have opted into our newsletters, your personal information will be kept for as long as you seem to be an active subscriber.
  • If we haven’t seen any activity on your part for 12 months, we will remove your personal information or anonymize it.
  • If you have signed up to take part in our developer community or discussion forums, your personal information will be retained indefinitely unless you explicitly tell us to remove it.

Your choices and rights

This section describes the rights you have under this privacy policy. You may have additional rights under applicable law - please see the Appendix for details.

How you can opt out of Optimizely marketing

  • You can choose to opt out of marketing communications from us at any time.
  • If you don’t want to receive marketing communications from us, you can at any time use the “Unsubscribe” link present in all marketing emails from us or go to our unsubscribe page.
  • Please note that opting out of email marketing typically doesn’t mean that you won’t see ads from us – please see our Cookie Policy on how you can opt out of web tracking, although it doesn’t mean that you will opt out of ads altogether.

How you can opt-out of third party marketing such as from our customers

  • Our customers are solely responsible for their own marketing emails and other communications and we cannot unsubscribe you from their communications.
  • You can unsubscribe from our customers' marketing communications by clicking on the "unsubscribe" link located on the bottom of their emails, or by contacting them directly.
  • If you believe any of our customers has engaged in unsolicited sending of mass email (or SPAM) and that they are using our Products and Services to do so, please contact us at [email protected].

How to contact us

  • If you are based in the European Economic Area, you can write to:

Episerver AB
c/o Legal Department
Box 7007
103 86 Stockholm
Sweden

  • Send email to: [email protected].
  • If you are based outside of the European Economic Area, you can write to:

Optimizely Inc.
c/o Legal Department
119 Fifth Avenue, 7th Floor
New York, NY 10003
USA

Changes to this Privacy policy

From time-to-time, we may change this privacy policy to accommodate changes to our Products and Services and companies, new technologies or industry practices, updated laws or regulatory requirements, and generally to keep it up to date. We will provide notice to you (as described below) if these changes are material.

Notices may be by email to the last email address you provided us, by posting notice of such change on our Websites or the Product and Services you use, or by other communication channels.

 


APPENDIX TO THE PRIVACY POLICY

Supplementary Provisions

 

Section A - UK and EEA Data Subjects

If you are an individual in the United Kingdom (UK) and/or European Economic Area (EEA), we collect and process information about you only where we have a legal basis for doing so under applicable laws (applicable law), which include (but are not limited to) the UK and EU data protection and privacy laws.

Legal basis for processing your personal information

The legal basis upon which we rely depends on which of our Products and Services you use and the reasons for which you contact us. We collect and use your personal information where:

  • Contractual – performing any contract we have with you or to take steps at your request prior to entering into a contract with you.
  • Legitimate Interests - this is necessary for our legitimate interests as a business and is not overridden by your legitimate privacy interests. These legitimate interests include our interest in:
    • operating and providing our Websites and our Products and Services, including to provide customer support and process your orders, requests, questions and concerns;
    • collecting product usage, analytics and performance data relating to our Websites and our Products and Services, in order to maintain, analyze, develop, update, and improve them;
    • maintaining records of bugs, customer support requests and similar requests you file, and our response to these requests;
    • using information to personalize content and features on our Websites and our Products and Services;
    • detecting, investigating and preventing activities that may breach or violate our policies or applicable laws (such as fraud detection and prevention);
    • managing our business in an efficient and proper way, which includes managing financial administration, business capability, planning, communications, corporate governance and audit;
    • maintaining corporate or business records consistent with our retention policies and applicable laws;
    • protecting against activities that may threaten the security, integrity, or availability of our or another party’s products, systems, and services;
    • protecting our legal rights and defending claims; and
    • for marketing and selling our Products and Services consistent with applicable laws.
  • Consent - You give us consent to process your personal information.
  • Legal Obligations - We need to process your personal obligation to comply with a legal obligation, such as a lawful subpoena or law-enforcement request or to fulfil the lawful instructions of our customers (when they are acting as the controller).
  • Other - We have another lawful basis for processing your personal information in accordance with applicable law.

International data transfer

Within Optimizely

We may share your personal information within Optimizely relying on binding corporate rules in place from time to time.

With third parties

  • Third parties to whom we provide your personal information may be located outside the UK and EEA or they may use servers that are located outside the EEA. In that event, we will ensure that adequate protection of your personal information is provided as required by applicable law, for instance by concluding Standard Contractual Clauses issued by the European Commission.
  • Some vendors and service providers are based outside the EEA and UK, including the United States. Whenever we transfer your personal information outside the EEA and/or UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
    • We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal data under applicable law.
    • Where we use certain service providers, we may use specific contracts approved for use in the UK and/or EEA that give personal information the same protection it has in the UK and/or EEA.
    • In the case of specific service providers, we may implement supplemental safeguard measures, which may be technical, contractual and/or organisational in nature.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK and/or EU.

Your Rights

Under applicable law, you have the following rights:

  • Access to your information: You have the right to request a copy of the personal information we hold about you.
  • Correcting your information: We want to have accurate personal information about you. Please contact us if you think the personal information we hold is not up to date or correct and we will correct it for you.
  • Deletion of your information: You have the right to ask us to delete personal information about you if it no longer is required for the purpose it was collected, you have withdrawn your consent, you have a valid objection to us using your personal information, or our use of your personal information is contrary to law or our other legal obligations.
  • Objecting to how we may use your information: You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information on legitimate interest grounds then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
  • Restricting how we may use your information: In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information but you don't want us to delete the information. Where this right to validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
  • Automated processing: If we use your personal information on an automated basis to make decisions that significantly affect you, you have the right to ask that the decision be reviewed by an individual to whom you may make representations and contest the decision. This right only applies where we use your information with your consent or as part of a contractual relationship with you.
  • Withdrawing consent using your personal information: Where we use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given. Note, however, that this will not affect any processing that has already taken place.

Please contact us if you wish to exercise any of these rights. You can find the contact details below.

How to contact us

  • We have appointed a Data Protection Officer. If you are a UK or EEA resident who requires assistance in exercising your privacy rights, please write to our Data Protection Officer at [email protected].

Complaints

  • We always want to resolve directly all complaints about how we handle personal information.
  • If you are an EEA resident, you also have the right to lodge a complaint with the Swedish Data Protection Authority (Datainspektionen). You can reach Datainspektionen using one of the following methods:

Postal address: Datainspektionen, Box 8114, SE-104 20 Stockholm

Office address: Drottninggatan 29, 5th floor, Stockholm

E-mail: [email protected]

Telephone: +46 8 657 61 00

  • If you are a UK resident, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can reach the ICO using one of the following methods:

Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF

Email: https://ico.org.uk/global/contact-us/email/.

 

Section B - California Resident Notices

California Consumer Privacy Act

Effective January 1, 2020, the California Consumer Privacy Act of 2018 (the CCPA) allows consumers who are California residents, upon a verifiable consumer request, to request from a business:

  • Delete any personal information about the consumer that the business has collected from the consumer;
  • Disclose to the consumer certain information about the personal information that the business collects from the consumer; and
  • Direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.

Optimizely does not sell any consumer personal information to third parties. To submit a data access or data deletion request, please visit our portal or contact us at [email protected] or 1-603-594-0249. Please note that these requests apply only to information that Optimizely holds as a “controller.” If your request relates to the personal data collected through a customer’s websites or digital products, you should direct your request to the owner of that website or product. Please note that you must verify your identity and request before Optimizely will process your request. You may be required to provide email confirmation or other information in order for us to verify your identity. Consistent with California law, if you choose to exercise your rights, you will not receive discriminatory treatment by Optimizely.

Under certain circumstances, you may designate an authorized agent to make a request on your behalf. In order to designate an authorized agent to make a request on your behalf, you must provide a valid power of attorney, your valid government issued identification, and the authorized agent’s valid government issued identification to allow Optimizely to verify that the agent is authorized to make the request on your behalf.

If you have any questions about Optimizely's privacy policies and practices, please contact us at [email protected].

California’s Shine the Light Law

CA Civil Code § 1798.83 permits California residents to request and obtain from Optimizely once a year, free of charge, a list of the third parties to whom Optimizely may have disclosed their personal information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those third parties. As a general policy, Optimizely does not share personal information with third parties for their own direct marketing purposes without your prior consent. Accordingly, you can prevent disclosure of your personal information to third parties for their direct marketing purposes by withholding consent. Please contact us at [email protected] if you would like to make such a request.