Privacy Policy

One of UXtweak's top-level priorities is to keep data that belongs to our clients safe and secure. We don't just stay up-to-date with any laws that regard user privacy and sensitive information. It is our aim is to always offer the best possible protection to all data that's been entrusted to us.

Data storage 

We designed UXtweak to be robust towards any possible data losses. UXtweak uses the servers and cloud infrastructure of Amazon Web Services (AWS) for storage of personal data. All data collected by UXtweak is stored electronically in Ireland, Europe in the AWS infrastructure, data center eu-west-1. Our application servers and database servers function within Amazon VPC (Virtual Private Cloud). The database containing visitor and usage data is only accessible from the application servers, and no outside sources are allowed to connect to the database.

Data access and backup  

UXtweak makes sure that your data remains accessible and safe even in the case of system failure (as is in accordance with the laws of the EU). For prevention against data loss, we create an electronic copy of all data processed by UXtweak, which is stored for the duration of the following 72 hours. In case of a server failure, UXtweak employs this copy as backup.

Compliances, Certificates, and Audits 

UXtweak’s data is stored in Amazon Web Services (AWS) cloud. For more information regarding the security of AWS, see the following links.

Certifications and audit reports for AWS:

UXtweak passed a self-evaluation process in accordance with the SAQ A standard (Self Assessment Questionnaire) and is eligible to accept so-called card-not-present payments (CNP) by entrusting all operations related to payments to the company Stripe, which conforms to the standard PCI DSS (Payment Card Industry Data Security Standard). The processor's servers do not process, transfer or store any data of the card holder.

Subprocessors 

In the course of providing our service, UXtweak may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are, as well as the obligations of our users/customers, we've created a Data Processing Agreement (DPA) that we enter into free of charge with anyone that uses our service and requests it.

UXtweak hires the following subprocessors for the purpose of personal data processing:

  • Amazon Web Services EMEA SARL 38 avenue John F. Kennedy, L-1855 Luxembourg;
  • Sendinblue GmbH, Köpenicker Straße 126, 10787 Berlin, Germany
  • Mailgun Technologies, Inc., 548 Market St. #43099, San Francisco, CA 94104, USA;
  • Tawk.to, Inc., 187 East Warm Springs Rd, SB119, Las Vegas, NV 89119, USA;
  • Stripe, Inc., 510 Townsend Street, San Francisco, CA 94103, USA;
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

For the purposes of securing effective distribution of content when providing services as a data processor, as well as optimal functioning of the server infrastructure on part of the data processor, UXtweak utilizes the service AWS CloudFront as a content delivery network (CDN). AWS CloudFront exclusively processes geolocation data of subjects and stores it in its anonymized form for the purposes of securing effective provision of services to subjects.

UXtweak uses Sendinblue to send newsletters. If a subject subscribes to our newsletter, we will need their explicit permission that they agree to receive our newsletter. The data the subject provides to subscribe to our newsletter will be stored on Sendinblue servers in Germany. If the subject wants to cancel their subscription, they may do so at any time either through the "Unsubscribe" link in one of our newsletter emails or by using our contact form. Data processing is based on Art. 6 (1) (a) GDPR. The subject may revoke their consent at any time. The data provided when registering for the newsletter will be used to distribute the newsletter until the subject cancels their subscription, at which point said data will be deleted from servers of Sendinblue. The data we have stored for other purposes (e.g., email addresses of registered users) remains unaffected.

UXtweak utilizes the service Mailgun for delivery of transaction e-mail messages which are necessary for the functioning of the service. Within Mailgun, email addresses of subjects and the contents of the email messages are processed for the duration of seven days. Processing of private data by Mailgun is handled in the USA and it falls under EU-US Privacy Shield.

All operations related to payments are processed by Stripe, which conforms to the PCI DSS (Payment Card Industry Data Security Standard). UXtweak's servers do not process, transfer, or store any data of the card holder.

UXtweak uses the service Google Analytics for monitoring user activity on our website for the purposes of providing relevant information. For this purpose, Google collects anonymized statistical data about usage of our web pages. We use GSuite as our email provider, which means that e-mails delivered to email addresses belonging to UXtweak or sent by UXtweak's employees can be stored on Google's servers. We use Google Drive for shared files. In rare cases, we maintain lists of contact information in Google spreadsheets, but we are continuously working on removing all such data.

We use the standard software by Microsoft (e.g., MS Office) and, due to this fact, Microsoft can process personal data.

Encryption 

You can depend on UXtweak to protect your data by employing the latest among current security standards. We use SSL/TLS (Secure Sockets Layer / Transport Layer Security). All data that comes to and leaves our servers is encrypted. UXtweak is also PCI DSS compliant.

Stability 

We conduct routine monitoring of UXtweak's performance so we can deal with any issues with the service's stability ASAP. This actually means that many problems get solved before they can even affect our users. You can get updates on how our systems are doing on the page status.uxtweak.com.

Accessibility 

Naturally, we protect the passwords that our users use to authenticate themselves by storing them in (bcrypt) hashed format. Authentication is a requirement for accessing your account. UXtweak doesn't collect any sensitive data, such as passwords and credit card numbers. Access to user data is restricted strictly for employees for the purposes of providing service and support.

Besides RePlay's data collection being secure by default, RePlay also gives you the option to further customize which data gets recorded. You can either set up rules for data collection in your study, or use our API to mark UI elements which are supposed to be hidden from recording even on the individual level.

What can UXtweak RePlay record? 

UXtweak is entirely customizable in the respect that you have full power over what's recorded and what isn't. Want to only record on mobile devices, leave out a range of IP addresses, or control which pages or forms are left out of the recordings? These are just some of the things you can do. What's more, you can set up your recording rules separately for end-users from inside and outside of the EU. This way, you can create a recording policy that's suited specifically for the GDPR, while maintaining a different policy elsewhere.

If your website has any forms on it, it is quite likely that you're collecting the user's personal data in some form. When collecting personal data from the user, you have to comply with the laws that apply in their country. In the European Union, you can't collect personal data without the user's knowledge and their consent.

As such, a statement such as this should be found somewhere in your Terms of Service or your Privacy Policy:

For the purposes of web analytics, your personal data may be recorded by 3rd party service UXtweak.com.

Different laws apply in different countries and so your obligations for collecting personal data can also vary significantly by locale. If you're not sure about collecting some sort of data in a specific country, we recommend consulting a local lawyer to learn more.

Should visitors know when they're being recorded? 

The answer is different depending on whether the data you're collecting is personal by nature. If it isn't, informing the user isn't legally necessary. For collecting personal data, you should probably inform the users, differences in local laws notwithstanding. A good place to inform your users of this fact is directly on your website, in the Privacy Policy.

Aside from the legal requirements, some visitors might not wish to be tracked online, in any way whatsoever. You can send these people to UXtweak's opt-out link.

Yes, there's no problem. Recording data for session replay is no different from collecting usage data for any other web analytics tool, such as Google Analytics.

What's important from the legal perspective is how recording of personal data is handled in your UXtweak RePlay project. As explained in the paragraphs above, UXtweak allows you to fully adjust what gets recorded. You could broadly disable recording within all forms (where personal data usually gets entered), or just disable those UI elements that concern personal data and leave the remaining forms untouched.

How does UXtweak use cookies? 

While using UXtweak, temporary files, known as cookie files (cookies), can be stored and processed. By processing cookies, personal information might be collected and linked with the visitor. This personal information is used solely to improve UXtweak services. UXtweak respects the privacy of its users and visitors and when processing cookies, we follow the privacy rules of the European Union.

A visitor can deactivate or restrict collection and storage of cookies by changing the settings of their web browser, or by browsing the web in incognito (private) mode, where they remain anonymous. This mode is supported in all modern browsers. By using it, the user acknowledges that UXtweak services might not work properly for them, and that use of UXtweak services can exhibit unexpected behavior.

Cookies set by the UXtweak scripts 

NameDescriptionDuration
uxt-replay_*The Xtweak RePlay cookie sets when a visitor opens a website that uses UXtweak RePlay. It stores the current session's random id. When the visitor leaves the site, the cookie's expiration is set to thirty minutes. If the visitor doesn't come back, the cookie expires and the visitor's next visit will be recorded as a new session.Session / 30 minutes
uxt-identityThe UXtweak RePlay cookie sets when RePlay's collector script is first downloaded. It stores a random visitor id, which it uses to distinguish between visitors and to identify repeated visits.Permanent
uxt-recruiter-focusThe UXtweak Recruiter Widget cookie sets when the visitor sees a page with the recruiter widget on it. It makes sure that once the visitor minimizes the recruiter widget, it will stay minimized as the visitor continues browsing the website.10 minutes

Cookies set by visiting the UXtweak website and tools 

NameDescriptionDuration
uxt-sessionUXtweak cookie. Identifies and maintains the user's session on the UXtweak website.Session
uxt-accounts-sessionUXtweak cookie. Identifies and maintains the user's session in the UXtweak Accounts application (login, account management).Session
uxt-optoutUXtweak cookie. Created if a visitor decided to opt-out of UXtweak. If this cookie exists in the browser, RePlay won't collect any session data.365 days
uxt-app-promo-popupUXtweak cookie. Used to hide a promotion pop-up widget on the dashboard in UXtweak tools.4 days
uxt-web-promo-popupUXtweak cookie. Used to hide a promotion pop-up widget on the UXtweak website.7 days
XSRF-TOKENUXtweak cookie. Stores a token which is used to prevent cross-site request forgery (XSRF).2 hours
_ga
_gid
_gat
Cookies used by Google Analytics to distinguish between users and to throttle request rate.2 years
24 hours
1 minute
__tawkuuid
__cfduid
TawkConnectionTime
Cookies used by tawk.to to monitor and chat with visitors. It distinguishes visitors, so previous conversations with visitors can be identified.Decided by tawk.to