Last updated: April 2024
Appcues is committed to protecting the privacy of all its users.
In order to ensure that our customers and users are informed of our data handling policies and their rights pertaining to their personally-identifiable information (PII), we maintain this privacy policy, which details our practices around information collected through the Appcues platform. In this privacy policy, PII refers to information that can be used to identify you (such as your name, email address, or other contact information) and other information that is linked to your personal identifiers (such as login information).
2. Kinds of Information We Collect
4.3. Shared Responsibility Model
4.4. EU-U.S. and Swiss-U.S. Data Privacy Frameworks, with UK Extension
6. Changes to this Privacy Policy
Our approach to data security and privacy includes but is not limited to:
Appcues processes four different categories of data, which reflect the different levels of sensitivity in context. However, there are several common traits about how we handle the data, regardless of type:
This data can be used to identify a specific user. Examples of end-user PII include:
We use End-user PII to customize and deliver Appcues experiences. We do not share End-user PII except as described in this privacy policy or as directed by our customers. For example, enabling third-party integrations with Appcues, which necessarily involve sharing information in order for the integration to work, is up to the discretion of the customer.
Customers may opt out of browser and browser history information by contacting Appcues Support.
This data pertains to how end users are interacting with Appcues experiences; for example, whether a flow was shown to a given user, whether a user has interacted with a tooltip, etc. This category also includes user responses to in-Appcues forms or surveys. This data stream is available for CSV download on the Appcues Studio application.
We do not actively collect PII for use in this category, and no PII is required in this category in order to use Appcues. Note, however, that form or survey responses may add PII to this data.
We use data in this category to customize and deliver Appcues experiences, as well as display analytics on the Appcues Studio application.
Customers may also configure Appcues to send certain data upstream to other services.
Please refer to the Shared Responsibility Model for further information.
This data includes business-relationship information, such as the name and email address of each of a customer's team members who are authorized to use the Appcues platform. We collect customer PII through the Appcues Studio application.
Appcues does not handle or store financial data about customers (e.g., credit card information). Instead, we use a fully PCI DSS compliant payments processor.
We use this type of data mainly in the Appcues Studio application and Builder, and within the Appcues business.
This category includes customer-wide, aggregated statistics such as active user count, number of Appcues experiences shown, how many Appcues experiences are published at a time, etc.
This data does not contain PII.
We use data in this category mainly in the Appcues Studio application and Builder, customer emails, and within the Appcues business.
If you have interacted with Appcues content, then Appcues may have some data relating to you and your activity on that app or website. The types of data that we might have are described in sections 2.1 and 2.2 of this privacy policy. Appcues provides you with certain choices and means for exercising your rights to your PII, such as accessing, correcting, amending, deleting or limiting the use and disclosure of your PII. For example, if we wish to use or share PII we have collected from you for a purpose that is materially different from the purpose(s) for which we originally collected your PII or for which you later provided consent, then we will ask you for your consent before such use or sharing, and we will provide you with an effective way to opt out of such use or sharing. A further description of your rights and our commitment to compliance with applicable law is set forth below in Section 4. To exercise your rights, please contact us at the address listed at the bottom of this privacy policy and, where applicable, please provide your account ID and user ID along with a description of the nature of your request so that we can verify and act on your request. Please keep in mind that where Appcues is acting as a service provider to your organization, PII collected by us in connection with our services is controlled by your organization, as described at the end of Section 4 below.
Appcues is committed to the privacy of information as it passes over our network, as well as to preventing unauthorized access to customer or end-user data. Among other technical and organizational measures we have implemented to protect data, we use industry-leading encryption to protect all external traffic in transit (via HTTPS/TLS) and at rest (using AES-256 and an automated key rotation system).
We delete end-user and customer data promptly upon verified request by the applicable customer or end user, except to the extent required by applicable law or to perform or enforce the terms of applicable contracts. Some data may remain in archival backups, which are deleted in the ordinary course of business.
Requests for data deletion may be addressed to support@appcues.com.
Appcues invests heavily and continually monitors the Appcues platform to protect the security and privacy of our customer data. However, if our customers use certain Appcues features, they will have a responsibility to take action to fully protect the security and privacy of the data managed by Appcues. This is commonly referred to as a shared responsibility model. The Shared Responsibility Model describes the shared responsibility of certain Appcues features and their benefits. Please refer to the Appcues Documentation for more information. As new capabilities are introduced, or responsibilities are identified, the Shared Responsibility Model documentation will be updated or expanded.
Appcues complies with the EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (the “UK Extension”), and the Swiss-U.S. Data Privacy Framework (the “Swiss-U.S. DPF” and, collectively, the “DPFs”) as set forth by the U.S. Department of Commerce. Appcues has certified to the U.S. Department of Commerce that it adheres to the Principles set forth in each of the foregoing (collectively, the “DPF Principles”) with regard to the processing of PII received from the European Economic Area (that is, the EU Member states, plus Iceland, Liechtenstein and Norway, collectively, the “EEA”) in reliance on the EU-U.S. DPF, from the United Kingdom and Gibraltar in reliance on the UK Extension, and from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and any such DPF Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Under the DPFs, we are responsible for the processing of PII we receive and subsequently transfer to a third party acting as an agent on our behalf. We comply with the DPF Principles for all onward transfers of PII, including the onward transfer liability provisions.
With respect to PII received or transferred under the DPFs, we are subject to the regulatory and enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose PII in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Appcues is committed to addressing inquiries and resolving complaints about our collection and use of PII. If you have such an inquiry or complaint, please first contact us using the contact information specified at the bottom of this privacy policy.
In compliance with the DPFs, we have committed to refer unresolved complaints concerning our handling of PII transferred to us in reliance on the DPFs to an alternative dispute resolution provider based in the United States. If you live in the EEA, UK or Switzerland and have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://go.adr.org/dpf_irm.html. Under certain conditions, more fully described on the DPF website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
You may have rights under other applicable data protection laws. For example, if you are a resident of California, then under California law, including the California Consumer Privacy Act as amended by California Privacy Rights Act (collectively, the “CCPA”), you may have specific rights relating to your PII. Your rights depend on the nature and purpose of the collection and use of your PII and may include the right to be informed about categories of PII we collect, categories of the sources of PII, and categories of third parties with whom we share PII. This information is provided in the applicable sections of this privacy policy. You may also have the right to request information about the specific PII we may have about you, and you may do so by contacting us as set forth below. In some cases, you may have the right to request that we delete PII we may have about you. We will respond and, where applicable, comply with your requests free of charge and within the timeframe required under applicable law.
We do not share PII for direct marketing (including cross-context behavioral advertising) purposes, and, as noted above, we do not sell PII for any purpose. Therefore, the elements of CCPA or other applicable law relating to the sale or “commercial” use of PII do not apply to us. Similarly, we do not track users over time across third-party, non-customer websites, and therefore we do not recognize or respond to browser-initiated “do not track” signals.
We recognize the evolving privacy landscape and the growing list of states with data privacy laws that provide rights similar or in addition to those under CCPA. We respect the privacy rights of all of our users, and we do not discriminate against our users based on their data-privacy choices or the exercise of their rights under applicable laws. We are committed to complying with all data protection laws to the extent they apply to us, and to assisting assist our customers in their compliance obligations as applicable and appropriate. You do not need to establish an account with us or be a registered user in order to send us a request, but if you already have an account with us, we may communicate with you about your request through your account. To exercise your rights, please contact us at the address listed below. Please allow us a reasonable time to respond to your request.
Please note that your rights under certain data protection laws depend in part on the nature of your relationship with us. For example, if we are processing your PII in the role of a service provider to your organization as our customer, then your organization is responsible for the instructions it gives to us regarding your PII, and if you wish to exercise any rights you may have under applicable data protection laws, please direct your inquiry to your organization. Because we may only access and use our customer’s data (which may include your PII) in accordance with instructions from the applicable customer, if you are a customer user and you make your request directly to us, we will refer your request to that customer, although we will support them as required by applicable data protection laws in responding to your request.
All policies and practices described in this privacy policy are subject to our obligation to comply with applicable law, including any lawful request by public authorities. We may disclose any information necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of service or other applicable agreement, or as otherwise required by law
If Appcues merges with or is acquired by another company, our data, including your PII, may be transferred to the other company, and the terms of this privacy policy may be subject to change.
We use the information you provide about yourself when doing business with us only to provide the service that you have requested, including customer service, during the term of your or your organization’s agreement with us. We do not share this information with outside parties, other than the service providers described above, without your permission.
Finally, we never use or share PII provided to us online in ways unrelated to the ones described above without also providing you an opportunity to opt-out or otherwise prohibit such unrelated uses, except under the circumstances described in this privacy policy.
We reserve the right to change this privacy policy at any time. Any changes we make will be effective immediately as of the date the modified privacy policy is made available through our services or on our website. By continuing to access or use our services after we have posted a modification to this privacy policy, you are indicating that you agree to the terms of the modified privacy policy.
If you have any questions about this privacy policy, our collection and use of your personal information, or to exercise your rights under this privacy policy and applicable law, please contact us at support@appcues.com or
Appcues, Inc.
68 Harrison Ave 605
PMB 94414
Boston, MA 02111 USA