Privacy Policy

One of UXtweak's top-level priorities is to keep data that belongs to our clients safe and secure. We don't just stay up-to-date with any laws that regard user privacy and sensitive information. It is our aim is to always offer the best possible protection to all data that's been entrusted to us.

Data storage

We designed UXtweak to be robust towards any possible data losses. UXtweak uses the servers and cloud infrastructure by Amazon Web Services (AWS) for storage of personal data. All data collected by UXtweak is stored electronically in Ireland, Europe in the AWS infrastructure, data center eu-west-1. Our application servers and database servers function within Amazon VPC (Virtual Private Cloud). The database containing visitor and usage data is only accessible from the application servers and no outside sources are allowed to connect to the database.

Data access and backup

UXtweak makes sure that your data remains accessible and safe even in the case of system failure (as is in accordance with the laws of EU). For prevention against data loss, we create an electronic copy of all data processed by UXtweak, which is stored for the duration of the following 72 hours. In case of a server failure, UXtweak employs this copy as backup.

Compliances, Certificates, and Audits

UXtweak’s data is stored in Amazon Web Services (AWS) cloud. For more information regarding the security of AWS, see the following links.

Certifications and audit reports for AWS:

UXtweak passed a self-evaluation process in accordance with the SAQ A standard (Self Assessment Questionnaire) and is eligible to accept so-called card-not-present payments (CNP) by entrusting all operation related to payments to the company Stripe, which conforms to the standard PCI DSS (Payment Card Industry Data Security Standard). The processor’s servers do not process, transfer or store any data data of the card holder.


In the course of providing our service, UXtweak may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/customers we've created a Data Processing Agreement (DPA) that we enter into free of charge with anyone that uses our service and requests it.

UXtweak hires the following subprocessors for purpose of personal data processing:

  • Amazon Web Services EMEA SARL 38 avenue John F. Kennedy, L-1855 Luxembourg;
  • Mailgun Technologies, Inc., 548 Market St. #43099, San Francisco, CA 94104, USA;
  •, Inc., 187 East Warm Springs Rd, SB119, Las Vegas, NV 89119, USA;
  • Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA;
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

For the purposes of securing effective distribution of content when providing services as a data processor, as well as optimal functioning of the server infrastructure on part of the data processor, UXtweak utilizes the service AWS CloudFront as a content delivery network (CDN). AWS CloudFront exclusively processes geolocation data of subjects and stores it in its anonymized form for the purposes of securing effective provision of services to subjects.

UXtweak utilizes the service Mailgun for delivery of transaction e-mail messages which are necessary for the functioning of the service. Within Mailgun, email addresses of subjects and the contents of the email messages are processed for the duration of 7 days. Processing of private data by Mailgun is handled in USA and it falls under EU-US Privacy Shield.

All operations related to payments are processed by Stripe, which conforms to the PCI DSS (Payment Card Industry Data Security Standard). UXtweak's servers do not process, transfer or store any data data of the card holder.

UXtweak uses the service Google Analytics for monitoring user activity on our website for the purposes of providing relevant information. For this purpose, Google collects anonymized statistical data about usage of our web pages. We use GSuite as our email provider, which means that e-mails delivered to email addresses belonging to UXtweak or sent by UXtweak's employees can be stored on Google's servers. We use Google Drive for shared files. In rare cases we maintain lists of contact information in Google spreadsheets, but we are continuously working on removing all such data.

We use the standard software by Microsoft (e.g., MS Office) and, due to this fact, Microsoft can process personal data.


You can depend on UXtweak to protect your data by employing the latest among current security standards. We use SSL/TLS (Secure Sockets Layer / Transport Layer Security). All data that comes to and leaves our servers is encrypted. UXtweak is also PCI DSS compliant.


We conduct routine monitoring of UXtweak's performance so we can to deal with any issues with the service's stability ASAP. This actually means that many problems get solved before they can even affect our users. You can get updates on how our systems are doing on the page


Naturally, we protect the passwords that our users use to authenticate themselves by storing them in (bcrypt) hashed format. Authentication is a requirement for accessing your account. UXtweak doesn't collect any sensitive data such as passwords and credit card numbers. Access to user data is restricted strictly for employees for the purposes of providing service and support.

Besides Replay's data collection being secure by default, RePlay also gives you the option to further customize which data gets recorded. You can either set up rules for data collection in your study, or use our API to mark UI elements which are supposed to be hidden from recording even on the individual level.

What can UXtweak RePlay record?

UXtweak is entirely customizable in the respect that you have full power over what's recorded and what isn't. Want to only record on mobile devices, leave out a range of IP addresses or control which pages or forms are left out of the recordings? These are just some of the things you can do. What's more, you can set up your recording rules separately for end-users from inside and outside of the EU. This way, you can create a recording policy that's suited specifically for the GDPR, while maintaining a different policy elsewhere.

If your website has any forms in it, it is quite likely that you're collecting the user's personal data in some form. When collecting personal data from the user, you have to comply with the laws that apply in their country. In the European Union, you can't collect personal data without the user's knowledge and their consent.

As such, a statement such as this should be found somewhere in your Terms of service or your Privacy policy:

For the purposes of web analytics, your personal data may be recorded by 3rd party service

Different laws apply in different countries and so your obligations for collecting personal data can also vary significantly by locale. If you're not sure about collecting some sort of data in a specific country, we recommend consulting a local lawyer to learn more.

Should visitors know when they're being recorded?

The answer is different depending on whether the data you're collecting is personal by nature. If it isn't, informing the user isn't legally necessary. For collecting personal data, you should probably inform the users, differences in local laws notwthstanding. A good place to inform your users of this fact is directly on your website, in the Privacy policy.

Aside from the legal side of things, some visitors might wish not to be tracked online, in no way whatsoever. You can send these people to UXtweak's opt-out link.

Is recording users/visitors legal?

Yes, there's no problem. Recording data for session replay is no different from collecting usage data for any other web analytics tool, such as Google Analytics.

What's important from the legal perspective is how recording of personal data is handled in your UXtweak RePlay project. As explained in the paragraphs above, UXtweak allows you to fully adjust what gets recorded. You could broadly disable recording within all forms (where personal data usually gets entered), or just disable those UI elements that concern personal data and leave the remaining forms untouched.

How does UXtweak use cookies?

While using UXtweak, temporary files, known as Cookie files (cookies), can be stored and processed. By processing cookies, personal information might be collected and linked with the visitor. This personal information is used solely to improve UXtweak services. UXtweak respects privacy of its users and visitors and when processing cookies, we follow the privacy rules of the European Union.

A visitor can deactivate or restrict collection and storage of cookies by changing the settings of their web browser, or by browsing the web in Incognito (private) mode, where they remain anonymous. This mode is supported in all modern browsers. By using it, the user acknowledges that UXtweak services might not work properly for them and that use of UXtweak services can exhibit unexpected behavior.

Cookies set by the UXtweak scripts

uxt-replay_*UXtweak RePlay cookie. Sets when a visitor opens a website that uses UXtweak RePlay. It stores the current session's random id. When the visitor leaves the site, the cookie's expiration is set to 30 minutes. If the visitor doesn't come back, the cookie expires and the visitor's next visit will be recorded as a new session.Session / 30 minutes
uxt-identityUXtweak RePlay cookie. Sets when RePlay's collector script is first downloaded. It stores a random visitor id, which it uses to distinguish between visitors and to identify repeated visits.Permanent
uxt-recruiter-focusUXtweak Recruiter Widget cookie. Set when the visitor sees a page with the recruiter widget on it. It makes sure that once the visitor minimized the recruiter widget, it will stay minimized as visitor continues browsing the website.10 minutes

Cookies set by visiting the UXtweak website

uxt-sessionIdentifies and maintains the user's session on the UXtweak website.Session
uxt-accounts-sessionIdentifies and maintains the user's session in the UXtweak Accounts application (login, account management).Session
uxt-optoutCreated if a visitor decided to opt-out of UXtweak. If this cookie exists in the browser, RePlay won't collect any session data.365 days
XSRF-TOKENUXtweak cookie. Stores a token which is used to prevent cross-site request forgery (XSRF).2 hours
Cookies used by Google Analytics to distinguish between users and to throttle request rate.2 years
24 hours
1 minute
Cookies used by to monitor and chat with visitors. Distinguishes visitors, so previous conversations with visitors can be identified.Decided by