On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework. This decision classifies the United States of America as a country that ensures an adequate level of protection for Personal Data received from the European Economic Area (“EEA”).
Mouseflow ApS and its subsidiary, Mouseflow, Inc. (together, “Mouseflow” or “we”) are committed to the industry best practices concerning Personal Data protection and to the principles established in the EU-U.S. Data Privacy Framework, the United Kingdom (“UK”) Extension to the EU-U.S. Data Privacy Framework program, and the Swiss-U.S. Data Privacy Framework program.
You can verify Mouseflow, Inc. certification in the above-mentioned Framework programs’ list here.
Mouseflow has also other measures in place in order to fully protect your Personal Data.
Mouseflow, Inc. has adopted this EU-U.S. Data Privacy Framework Policy (“Policy”) to establish and maintain an adequate level of Personal Data protection. This Policy applies to the processing of Personal Data that Mouseflow obtains from persons located in the European Union/EEA, UK, and Switzerland.
Mouseflow, Inc. complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Mouseflow, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of Personal Data received from the European Union/EEA in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Our organization is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
In compliance with the EU-U.S. Data Privacy Framework Principles, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), Mouseflow, Inc. commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.. European Union/EEA, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact Mouseflow, Inc.’s parent company:
1711 Copenhagen V
E-mail Address: [email protected]
Mouseflow, Inc. has further committed to refer unresolved privacy complaints under the DPF Principles to a U.S.-based independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit this link for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See here.
1.1. Whenever used in this Policy, the below terms will have the following specified meanings:
- “Customer” means a company or an individual who acquired a subscription of the Mouseflow software as a service.
- “Customer Employee” refers to Employees of Customers and Prospective Customers.
- “Customer Website Visitors” means the person who accesses Customer’s website, where the Mouseflow software is installed and processing information.
- “DPF Principles” means together the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF (UK Extension) and the Swiss-U.S. Data Privacy Framework program.
- “Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or agent of the indicated entity or any of its affiliates or subsidiaries.
- “Europe” or “European” refers to a country in the EEA, Switzerland and the UK.
- “Prospective Customer” refers to any individual or company that has expressed interest in or is in discussion with Mouseflow regarding the subscription of the Mouseflow software. This includes but is not limited to individuals or companies who have engaged with Mouseflow’s website, marketing materials, initiated contact with the sales team, participated in product demonstrations, or otherwise indicated an interest in purchasing the Mouseflow software license subscription, but have not yet entered into a binding contractual agreement with Mouseflow.
- “Sensitive Information” means (i) Sensitive Data and/or (ii) Personal Data that if processed could create significant risks to the fundamental rights and freedoms of the Data Subject and/or (iii) any Personal Data received from a Data Subject where the Data Subject identifies and treats it as sensitive.
1.2. Whenever used in this Policy, “Data Controller”, “Data Processor”, “Data Subject”, “Joint Controller”, “Personal Data”, “Pseudonymization” and “Sensitive Data” will have the meaning specified in the Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”). For clarification and for the scope of this Policy, a reference to a Data Subject is to be understood as a reference to a natural person who is in Europe.
2. Data Processing
2.1. Mouseflow provides a software as a service that allows Customers to monitor their own Customer Website Visitors’ online interactions without disclosing any Personal Data of the latter. In the provision of such service, Mouseflow processes information from:
- Customer Website Visitors (non-personal data) on behalf of and under strict instructions from Customer and;
- Customer Employees.
2.2. In the first case, if Personal Data is inadvertently collected, Mouseflow acts as a Data Processor. In the second case, Mouseflow acts as a Data Controller and processes Personal Data from Customer Employees in order to provide, operate or offer the Mouseflow software as a service to Customer.
2.3. All Mouseflow, Inc. Employees who handle Personal Data may access and use Personal Data only if they are authorized and for the purpose for which they are authorized. They are also required to comply with the DPF Principles stated in this Policy. Such Mouseflow, Inc. Employees shall undergo yearly training on the terms of this Policy, applicable laws and the DPF Principles to effectively implement this Policy.
2.4. Detailed information on the purpose of processing Personal Data of the Data Subjects by Mouseflow mentioned in this section can be found in section 7 below.
2.5. If any practice in the processing of Personal Data by Mouseflow is changed, this Policy will be duly updated, and the affected Data Subjects will be informed prior to the change as mandated by the DPF and any relevant legislation. Mouseflow will offer the affected parties mechanisms to opt out or confirm their consent, as applicable.
3.1. This Policy applies to the processing of Personal Data that Mouseflow, Inc. processes in the United States concerning Customer Employees, and Customer Website Visitors (that were eventually processed by the Mouseflow software despite Customer’s best efforts to not collect them) whose data is received from Europe.
3.3. This Policy does not cover data from which Data Subjects cannot be identified or in case of Personal Data Pseudonymization.
4. Data Protection Authority (DPA)
4.1. Mouseflow, Inc., in consideration to the terms specified in the DPF:
- elects to satisfy the requirement in points (a)(i) and (a)(iii) of DPF’s Recourse, Enforcement and Liability Principle by committing to cooperate with the DPAs;
- will cooperate with the DPAs in the investigation and resolution of complaints brought under the DPF Principles; and
- will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the DPF Principles, including remedial or compensatory measures for the benefit of individuals affected by any noncompliance with the DPF Principles, and will provide the DPAs with written confirmation that such action has been taken.
5. Responsibilities and Management
5.1. Mouseflow has designated its Legal Department to oversee its information security program, including compliance with the EU-U.S. DPF program, the UK Extension and the Swiss-U.S. DPF program. The Legal Department shall review and approve any material changes to this program as necessary.
5.2. Any questions, concerns, or comments may be directed to [email protected]. Mouseflow will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the Personal Data that it may collect.
6. Renewal and Verification
6.1. Mouseflow, Inc. will renew its EU-U.S. DPF, UK Extension and Swiss-U.S. DPF certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.
6.2. Prior to the re-certification, Mouseflow will conduct an in-house verification to ensure that its attestations and assertions about its treatment of Personal Data are accurate and that the company has appropriately implemented these practices. Specifically, as part of the verification process, Mouseflow will undertake the following:
- ensure that this Policy continues to comply with the DPF Principles; and
- confirm that Data Subjects have access to the process for addressing complaints and any independent dispute resolution process (Mouseflow may do so through its privacy policies, contracts, or both); and
- review its processes and procedures for training Employees about Mouseflow, Inc.’s participation in the EU-U.S. DPF, UK Extension and Swiss-U.S. DPF programs and the appropriate handling of Personal Data.
7. Collection and Use of Personal Data
7.1. Mouseflow, Inc. processes Personal Data in the following cases:
- Customer Employees when Customer or Prospective Customer registers for a demonstration of the Mouseflow software, acquires a subscription of the Mouseflow software, logs in to their account, complete surveys, request information, subscribe to Mouseflow newsletters, acquire Mouseflow marketing publications (e.g.: eBooks) or otherwise communicate with Mouseflow.
- As stated in the Mouseflow Contracts, Mouseflow provides measures to exclude and requires that Customer uses the features available in the Mouseflow software to avoid and exclude all collection of Personal Data from Customer Website Visitors. The Mouseflow software might inadvertently (although Mouseflow does not intend to and requires Customers not to collect Personal Data) process Personal Data from Customer Website Visitors. In such cases, Mouseflow Inc. might act as a Data Processor and will process the Personal Data on behalf of and under the instructions of our Customer (Data Controller).
7.2. Mouseflow collects the following types of data that might include Personal Data:
- of Customer Employees: contact information (such as name, work email address, work mailing address, work telephone number, title, tax number) and information provided by the Customer Employees through the Mouseflow software account and/or communication channels (e.g.: email, chat, forms).
- of Customer Website Visitors: only non-Personal Data by default: aggregated and anonymous information, such as partial or anonymized IP address, language, browser, operating system, screen resolution, device type, time on site, number of pages viewed, navigation, page content, clicks, mouse movement, scrolling, and a recording of their user activity.
7.3. Mouseflow uses the above listed Personal Data for the following purposes:
- The information concerning Customer Employees in point 7.2. a. above is used for the purpose of complying with the obligations stated in the Mouseflow Contracts such as providing the Mouseflow software as a service to Customer or Prospective Customer by managing transactions and communication, storing data, support services, reporting, invoicing, renewals, satisfying governmental reporting, tax, and other legal or lawful requirements or offering the Mouseflow software as a service to or otherwise communicating with Customer or Prospective Customer (sales, marketing, support, legal, etc.).
- The information mentioned in point 7.2. b. above is used for providing data and reports in our software (recordings, heatmaps, funnels, form, and feedback analysis).
8. Disclosure of Personal Data
8.1. Mouseflow only discloses Personal Data to third parties if:
- obliged by applicable laws or in response to a lawful request by public authorities, including a court order or to meet national security or law enforcement requirements, or;
- consented by the Data Subject.
8.2. In any case, Mouseflow discloses Personal Data only to third parties who reasonably need to know such data and only for the purposes mentioned in this Policy. The third-party recipients to such Personal Data must agree to abide by confidentiality obligations and must:
- comply with the DPF Principles and/or any another mechanism permitted by European data protection laws for transfers and processing of Personal Data; and
- agree via written contract to provide adequate protections for the Personal Data that are no less protective than those set out in this Policy.
Mouseflow is liable for appropriate onward transfers of Personal Data to third parties, except for the Personal Data from Customer Website Visitors collected unintentionally by the Mouseflow software, due to Customer’s action or lack of action.
10. Sensitive Information
Mouseflow requires Customer to exclude Customer Website Visitors’ Sensitive Information from being collected when using Mouseflow’s software and/or services. Mouseflow does not request the disclosure of Sensitive Information by Customer Employees.
11. Data Integrity and Security
Mouseflow uses reasonable efforts to maintain the integrity of Personal Data and to update it as appropriate. Mouseflow has implemented physical and technical safeguards to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Mouseflow also employs access restrictions, limiting the scope of Mouseflow Employees who have access to Personal Data. Furthermore, Mouseflow uses secure encryption technology in transit to protect certain categories of personal data.
12. Right To Access, Change, or Delete Personal Data
12.1.1. Customer Employees may access their Personal Data, in order to review, correct or amend such data where inaccurate by logging into their account or by contacting Mouseflow by the email [email protected]. In making modifications to their Personal Data, Customer Personnel must provide only truthful, complete, and accurate information.
12.1.2. Customer Website Visitors should contact the Customer which might have collected their Personal Data directly. Although Customer Visitors are welcome to send Mouseflow a written request to [email protected], such request will be forwarded to the Customer (as long as the latter was identified in the email).
12.1.3. Customer Employees who wish to delete their Personal Data should submit a written request to [email protected]. Customer Website Visitors should contact the Customer which might have collected their Personal Data directly. Although Customer Visitors are welcome to send Mouseflow a written request to [email protected], such request will be forwarded to the Customer (as long as the latter was identified in the email).
12.2. The Right to Access is limited by the exceptions in the DPF Principles and applicable law, and also where, by providing access to the Personal Data:
- Mouseflow would incur in disproportionate burden or expense compared to the risks to the Data Subject’s privacy, or
- the rights of persons other than the Data Subject would be violated.
12.3. Mouseflow will provide notice to all affected parties under law and/or contract when either of the following circumstances arise:
- legally binding request for disclosure of Personal Data by a law enforcement authority or a court order, unless prohibited by law or regulation; or
- requests received from Data Subjects. Please note that in cases where Mouseflow acts as a Data Processor, we will forward all inquiries concerning the right to access, change, and/or delete Personal Data to the respective Customer.
12.4. Mouseflow will respond in a timely manner to all reasonable written requests to access, review, modify, or delete Personal Data and/or forward such requests to the respective Customer.
13. Right to Choose and Opt-out
13.1. Mouseflow will only process Personal Data in accordance with the purpose for which it was collected and only disclose such Personal Data to a third party that is acting as an Employee of or processor for Mouseflow.
13.2. Prior to any further processing or disclosure, Mouseflow will inform the Data Subject and offer the opportunity to opt out from their personal information to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.
13.3. Prior notice to Data Subjects will be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
14. Changes to This Policy
This Policy may be amended from time to time, consistent with the DPF Principles and applicable data protection and privacy laws and principles. We will make Mouseflow Employees aware of changes to this Policy either by posting to our intranet, through email, training, or other means.