GDPR Privacy Notice

Effective Date: February 25, 2019

GDPR Privacy Notice: This GDPR privacy notice (the “Notice”) is included in our Privacy Policy and applies to the ‘personal data,’ as defined in the GDPR, of natural persons located in the European Economic Area (“EEA Individuals,” “you,” or "your") processed by Validately. Any capitalized terms or other terms not defined herein shall have the meaning ascribed to them elsewhere in the in the Validately Privacy Policy or, if not defined herein or elsewhere in the Privacy Policy, the GDPR. To the extent of any conflict between this Notice and any other provision of the the Validately Privacy Policy, this Notice shall control only with respect to EEA Individuals and their personal data. If you are located elsewhere, please see our Privacy Policy here.

Processor Disclosure: We are a data processor when providing our Platform to our Customers. When serving as a processor, Validately has certain obligations under GDPR, including only processing personal data at our Customers’ instructions reflected in the applicable Master Services Agreement, providing assistance with fulfilment of rights requests, and implementing appropriate security for personal data. We will forward any inquiries, complaints, or requests received from data subjects with respect its personal data within the Platform (such as Test Results, which includes audio and video recordings) to the appropriate Customer and await instructions before taking any action. See the list of our subprocessors here.

With respect to testers provided by our Customers (“Customer’s Testers”), we serve as a processor of personal data collected from, or about, such Customer’s Testers within the Platform (including financial information relating thereto, where applicable, and Test Results).

Notwithstanding the foregoing, we are a controller of personal data (a) where Customer’s Testers sign up for the Validately External Panel and become one of our Testers, to the extent described in Tester Panel Sign-up below (please note that we do not solicit Customer’s Testers to sign up for the Validately External Panel but anyone is free to do so online), (b) where Customers ask us to source testers, as described in Sourcing Testers below, (c) as required for legal compliance purposes (e.g., accounting of financial information), and (d) as otherwise described in Controller Disclosure & Details below.

Controller Disclosure & Details: We are a data controller of personal data regarding the following EEA Individuals: Prospective/current Customers (including Customer end-users of our Platform) or vendors (collectively, “Business Contacts”), Visitors, and Testers for the purposes and under the legal bases described in the table below. Please note that, in some cases, the categories of data subjects above may overlap.

Data Subject Category

Purpose & Legal Basis of Processing

General (applies to all data subjects below)

Web Audience Measurement: Our legitimate interest in use of Google Analytics and FullStory to understand high-level metrics of your Site and Platform usage (e.g, page views, time on pages, feature usage, bounce rates), as applicable, in order to optimize the user experience.

Information Security: Generally-speaking, our web servers will log your IP address and other information (e.g., browser information, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed on the Site or Platform. We use this information pursuant to our legitimate interests in tracking Site and Platform usage, combating DDOS or other attacks, and removing or defending against malicious visitors on the Site and Platform.

Business Contacts

Direct Marketing: Our legitimate interest in sending current or prospective Customers email marketing, including via sign-ups on the Site.

Platform Demonstrations: Our legitimate interest in setting up demos with prospective Customers pursuant to their request.

Executing Contracts and other Legal Documentation: We will process all personal data necessary for the performance of contracts to which Business Contacts are a party (such as our Terms of Service) or to take requested steps to enter into such contracts.

General Business Development: Our legitimate interest in furthering business relationships, ensuring Customer satisfaction, and answering inquiries (such as through your interaction with us via Intercom).


See General above.


Tester Panel Sign-up: When Testers sign up for the Validately External Panel, we collect certain personal data that is necessary for the performance of our contract (e.g., the Panel Terms of Use) with our Testers, such as their name, PayPal email address, and password.

We also collect demographics information (e.g., county/city-level geolocation, what type of device or computer you own, job title, employment status) pursuant to our legitimate interest in finding Tests that would be a good fit for or of relevant interest to such Testers’ profile.

We will also use your name and email address to send you emails about future research sessions pursuant to your consent.

Sourcing Testers: Sometimes, a Customer may ask Validately to source Testers. To the extent Validately cannot supply Testers that have already signed-up (as described above), Validately may source Testers externally such as through LinkedIn Ads targeting a specific demographic provided by the Customer. Such demographics are not specific to an individual; LinkedIn will, however, target ads to users on its platform based on such demographics.

Controller’s Representative: Bartosz Gałuszka, eu-rep AT validately DOT com

Recipients: Our sales, marketing, and finance teams process the personal data of Business Contacts, Visitors, and Testers, as needed, and disclose such information to the following recipients:

  • Google Cloud (US East): Cloud-based storage provider
  • Google Analytics: Site and Platform analytics
  • Intercom: Customer support and messaging system (analytics tied to customer when registered for free trial or engaging with Intercom)
  • Salesforce: CRM for prospective or current Customers
  • Stripe: Payment provider (Validately does not receive the financial information)
  • Typeform: Survey functionality to better fit Testers with future studies
  • Qualtrics: Survey tool used for Tester registration process
  • FullStory: Session recordings for monitoring errors and crashes
  • Sendgrid: Email delivery platform
  • Stripe: Online payment processing
  • Unbounce: Builds marketing landing pages (and forms within)
  • Chartio: Business Intelligence platform

Retention: Please see below for our general retention periods. Please note that the below retention periods may be extended or shortened, as appropriate, based on the context of our relationship with an EEA Individual (e.g., negotiations for a sale, interest in the Platform), and for compliance with legal obligations (e.g., accounting, finances, tax).

We will retain the personal data of prospective Customers for approximately three (3) years. At that point, the prospective Customer will have to re-sign up for marketing or re-demonstrate interest in the Platform, as applicable. This retention period may be extended for prospective Customers that are in current negotiations with Validately near the end of such retention period.

Current Customers’ personal data will be retained until the relationship terminates, at which point their personal data will be retained for approximately seven (7) years for finance and tax purposes and in case of repeat business.

Personal data relating to contractual and other legal documentation, such as with our Customers or vendors, will be retained permanently.

Emails sent to Validately will be retained for 7 years from the date of receipt.

Analytics data from Google Analytics and FullStory will be retained for 14 months from the date of receipt.

Your GDPR Rights: As a natural person, you have a right to: (i) request access to, correction and/or erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of your personal data; and (iv) request a copy of your personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. These rights may be exercised by contacting: with the subject line “GDPR Notice.” You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under Validately’s Standard Contractual Clauses.

Objecting to Legitimate Interest/Direct Marketing: You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also may object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email or by submitting your request to with the subject line “GDPR Notice” (the latter for instances where, for example, you would not like to receive follow-ups from our sales team). In such case, your personal data will no longer be used for that purpose.

Transfer of Personal Data outside the EEA: We are self-certified under the EU-US and Swiss-US Privacy Shield (see Privacy Shield specific provisions below) and rely on it to transfer your personal data to our data centers located in the US for various processing activities. When transferring your personal data to our agents, service providers or other controllers (such our Customers) in countries that have not received an ‘adequacy decision’ by the European Commission, we ensure that these recipients commit to upholding the Principles of the Privacy Shield. We may also rely on appropriate Standard Contractual Clauses with such recipients to ensure adequate protection for your personal data.

Governmental Access Requests: Validately may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Corporate Restructuring: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this Notice. This Notice shall be binding upon Validately and its legal successors in interest.

Updates to this Notice: If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this Notice, and the “Effective Date” at the top of this page will be updated accordingly.

Contact Us: Validately is located at:

B601 V2, Inc.,
315 Fifth Avenue,
Suite 903,
New York, NY 10036

Please use this address or, preferably, reach out to with the subject line, “GDPR Notice” for any questions, complaints, or requests regarding this Notice.

E.U.-U.S. and Swiss-U.S. Privacy Shield

Privacy Shield: If your personal information is transferred from the EEA to the US pursuant to the Privacy Shield, then the rights, remedies, and protections set forth in this section apply to you. We comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal data from the European Union member countries (including Iceland, Liechtenstein, and Norway) and Switzerland to the United States, respectively, pursuant to the E.U.-U.S. and Swiss-U.S. Privacy Shield. Validately has certified that it adheres to the Privacy Shield principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement and Liability (the “Privacy Shield Principles”). If there is a conflict between this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit

Validately is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

In compliance with the US-US and the Swiss-US Privacy Shield Principles, we commit to resolve complaints about your privacy and our collection or use of your personal information. European Union or Swiss individuals with inquiries or complaints regarding this Notice should first contact us at with the subject line “Privacy Shield”. We have further committed to refer unresolved privacy complaints under the EU-US and the Swiss-US Privacy Shield Principles to the BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the US and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed by Validately, please visit for more information and to file a complaint. If these processes do not result in a resolution, you may also contact your local data protection authority, the US Department of Commerce, and/or the Federal Trade Commission for assistance. Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.

Onward Transfer to Third Parties under the Privacy Shield: Like many businesses, we hire other companies to perform certain business-related services. We may disclose personal information to certain types of third party companies but only to the extent needed to enable them to provide such services. The types of companies that may receive personal information and their functions are: billing, customer service, data storage, hosting services, disaster recovery services, sales support, credit card processors, and logistics support companies. All such third parties function as our agents, performing services at our instruction and on our behalf pursuant to contracts which require they provide at least the same level of privacy protection as is required by this Privacy Policy and implemented by Validately. We may also disclose personal information to our affiliates in order to support marketing, sale, and delivery of our Platform.

With regard to the principle of Accountability for Onward Transfer, for example, we remain liable if our agent processes such personal information in a manner inconsistent with the Privacy Shield Principles, unless we prove that we are not responsible for the event giving rise to the damage.

Opt-In and Opt-Out to Certain Onward Transfers under the Privacy Shield: We may transfer your personal information to a third party controller, but you may opt-out of such transfer at any time by sending us an email at with the subject line “Privacy Shield”.

We will not disclose your sensitive personal information to any third party without first obtaining your opt-in consent. You may grant such consent by sending us an email at with the subject lin, “Privacy Shield”.

In each instance, please allow us a reasonable time to process your response.

Your Privacy Shield Rights: Upon request to with the subject line “Privacy Shield”, we will provide you with confirmation as to whether we are processing your personal data pursuant to the Privacy Shield, and have such data communicated to you within a reasonable time. You have the right to access, correct, amend, or delete the personal data processed pursuant to the Privacy Shield where it is inaccurate or has been processed in violation of our privacy disclosures to you. We may require payment of a non-excessive fee to defray our expenses in this regard. Please allow us a reasonable time to respond to your inquiries and requests.

Retention of Personal Information under the Privacy Shield: We will retain the personal information processed pursuant to the Privacy Shield in a form that identifies you pursuant to Retention above. We may continue processing such personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of our privacy disclosures. After such time periods have expired, we may either delete your personal information or retain it in a form such that it does not identify you personally.

How We Protect Your Personal Information under the Privacy Shield: Validately takes very seriously the security and privacy of the personal information that it collects pursuant to the Privacy Shield. Accordingly, we will implement reasonable and appropriate security measures to protect your personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data, and comply with applicable laws and regulations.