The General Data Protection Regulation (GDPR) primarily concerns itself with personal data. Data that's collected during testing that's truly anonymized and can't be tied back to an individual is generally not subject to GDPR. The various rights that GDPR grants individuals over their personal data primarily apply to data that's personally identifiable.
If you don't manually collect testers' name, email, or other personally identifiable information during your test, you generally shouldn't run into privacy concerns. That said, you should refer to your own Legal/Privacy Counsel.
Using a Legal block
If your use of Maze collects personally identifiable information from testers, we recommend using a Context Screen or a Legal block (Organization plan only) at the start of the test.
In this document, you should outline how you’ll be using their data, and provide your contact information as the controller of the data in question for exercising their rights under GDPR. (e.g. Include a link to your Privacy Policy)
Cookies
GDPR also concerns itself with persistent cookies that are used for tracking/analytics purposes. For certain types of cookies, consent is required. This is why you often see cookie consent warnings when accessing GDPR-compliant websites from the EU.
This doesn't apply to our tester URLs (t.maze.co). To reduce concerns around GDPR compliance, we deliberately don't place tracking cookies on your maze tests.
Addressing data subject requests
If you collect personally identifiable information in your mazes (e.g. if you ask for names or contact information), you can fulfill data subject requests in the following way:
Right of access
If your testers are requesting access to data you have collected from them, you can honor this request by exporting your results for that specific tester. You can do this either by exporting an image of their test session (available on all plans), or by exporting a CSV of tester results (available for paid plans) and extracting the data that pertains to them.
Right to be forgotten
Tester data (e.g. maze results, clips, session data) is stored by Maze so that you can continue to access and use it until you choose to delete it.
Learn more about deleting participant data:
- Delete individual tester sessions from each maze
- Delete sessions/recordings from interview studies
- Delete the participant record in Reach
More broadly, you can also delete mazes, interview studies, and projects.
Opt testers out of communications
If you receive a request to opt out of future communications, you wouldn't generally need to take any action in Maze, unless you’re using Reach.
Here, you'd direct them to use the unsubscribe link found within the Reach campaign emails to opt out or, alternatively, remove them from the database altogether.
You may still need to take action in other services to opt your testers out of all communications.
Deletion of user data for Maze users
For deletion of user data for users of Maze itself, some of this can also be serviced on your end. For example, if you wish to delete uploaded content, you can do so by simply deleting your project, maze, or interview study.
To delete an entire team at once, the owner of that team needs to reach out to Support to have the team deleted.
Note that, when deleting a team, the members of that team won't be deleted—only the owner's record, if explicitly requested. Each team member would need to submit an account deletion request individually as the owners of their accounts.
More resources
For more information, please refer to our Terms and Service and Privacy Policy.