The General Data Protection Regulation (”GDPR”) primarily concerns itself with personal data. Data that is collected during testing that is truly anonymized and cannot be tied back to an individual is generally not subject to GDPR. The various rights that GDPR grants individuals over their personal data primarily apply to data that is personally identifiable.
If you do not manually collect testers' name, email, or other personally identifiable information during the course of your test, you generally should not run into privacy concerns. That said, you should refer to your own Legal / Privacy Counsel to verify.
Using a Legal block
If your use of Maze will collect personally identifiable information from testers, we recommend using a Context Screen or a Legal block (Organization plan only) at the start of the test.
In this document, you should outline how you’ll be using their data, and provide your contact information as the controller of the data in question for exercising their rights under GDPR. (eg. Include a link to your Privacy Policy)
Cookies
GDPR also concerns itself with persistent cookies that are used for tracking/analytics purposes. For certain types of cookies, consent is needed. This is why you often see cookie consent warnings when accessing GDPR-compliant websites from the EU.
That does not apply to our tester URLs (t.maze.co). To reduce concerns around GDPR compliance, we deliberately do not place tracking cookies on your maze tests.
Addressing data subject requests
If you do collect personally identifiable information in your mazes (e.g. if you ask for names or contact information), you can fulfill data subject requests in the following way:
- Right of access: If your testers are requesting access to data you have collected from them, you can honor this request by exporting your results for that specific tester. You can do this either by exporting an image of their test session (available on all plans), or by exporting a CSV of tester results (available on paid plans) and extracting the data that pertains to them.
- Right to be forgotten: You can delete participant data and manage data subject requests from participants directly by deleting their test sessions from every maze. If you've used Reach to contact them, you must also delete their participant record there.
Opt out from communications
If you receive a request to opt out of future processing, you wouldn't generally need to take any action in Maze, unless you’re using Reach. In this case, you would direct them to use the unsubscribe link found within the Reach campaign emails in order to opt out.
Note that you may still need to take action in other third-party services to opt your testers out from all communications.
Deletion of user data for Maze users
For deletion of user data for users of Maze itself, some of this can also be serviced on your end. For example, if you wish to delete uploaded content, you can do so by simply deleting your project or maze.
If you wish to delete an entire team at once, the owner of that team would need to reach out to Support to have the team deleted.
Note that, when deleting a team, the members of that team will not be deleted — only the owner record, if explicitly requested. Each team member would need to submit an account deletion request individually as the owners of their accounts.
More resources
For more information, please refer to our Terms and Service and Privacy Policy.