Privacy Policy

Introduction: Who We Are and Why We Collect Your Information

Wistia, Inc. (“Wistia,” “we,” “us,” “our”) knows that our users (“you,” “your”) create and manage marketing content, video series, and other educational and creative content. Our products permit our customers (“Customers”) to create and distribute videos, audio recordings, and other media (collectively, the “Media”) while also measuring viewer and user engagement with that Media (all such individuals that view and use the Media, the “Users”).

We care about how your personal information is used and shared, and we take your privacy seriously. Please read the following to learn more about our Privacy Policy. By visiting or using the various websites owned and operated by Wistia under the wistia.com domain, including, without limitation, the https://wistia.com/ website (each, a “Website, and collectively, the “Websites”), accessing, listening to, or viewing Media hosted by Wistia and/or accessing or using any other functionalities, features, content, applications or services offered from time to time by Wistia in connection with the Websites or Media (collectively, the “Services”) in any manner, you acknowledge that you accept the practices and policies outlined in this Privacy Policy, and you hereby consent to our collection, use, and sharing of your information in the following ways.

I. What Does This Privacy Policy Cover?

This Privacy Policy covers our treatment of (1) personally identifiable information, as defined by numerous statutes in the United States (such statutes, the “PII Laws”), (2) information protected by the California Consumer Privacy Act (“CCPA”)and the California Privacy Rights Act (“CPRA”) amendments, and the California Online Privacy Protection Act (“CalOPPA”), (3) the Colorado Privacy Act (“CPA”), (4) the Connecticut Personal Data Privacy Act (“CTDPA”); (5) the Montana Consumer Data Privacy Act (“MCDPA”); (6) the Oregon Consumer Privacy Act (“OCPA”); (7) the Texas Data Privacy and Security Act (“TDPA”); (8) Virginia Consumer Data Protection Act (“VCDP”), and (9) Utah Consumer Privacy Act (“UCPA”); (10) personal data, as defined by the European Union General Data Protection Regulation (“GDPR”), (11) the Switzerland Data Protection Act (“DPA”), and (12) the UK General Data Protection Agreement (“UK GDPR”); and (13) personal information, as defined by Canada’s Personal Information Protection and Electronics Documents Act (“PIPEDA,” and collectively with the PII Laws, CCPA, CalOPPA, the SHIELD Act, and GDPR, the “Privacy Laws”) (collectively, “Personal Information”), which we gather when you are accessing, viewing or using any of our Websites, Media and/or Services.

This policy does not apply to the practices of companies that we do not own or control, or to individuals that we do not employ or manage. For our treatment of the Personal Information of students under the age of 16 (each such student, a “Student,” and collectively, “Students”) collected while providing the Services to public schools, charter schools, private schools, and other entities providing educational or tutoring services (collectively, “Schools” and each individually, “School”) providing such services to Students, please see Section X below and our Schools & Students Privacy Policy Addendum.

II. What Information Does Wistia Collect?

Wistia does not collect Personal Information indiscriminately. We limit the type of Personal Information and the amount of Personal Information to what is necessary to fulfill the purposes identified in this Privacy Policy. With that in mind, we collect the following types of information:

A. Information You Provide to Us

We may collect Personal Information from you when you visit any of our Websites, register for or subscribe to any Media or Services, contact us with questions or concerns, and/or otherwise interact with the Websites, Media, or Services. For example, when you register for our Services, we may collect your name, phone number, user name, and e-mail address in combination with a password or security question to access the Services, and your payment information. Similarly, you may provide information to your user profile or upload video, audio recordings, images, or other content to a Website. Where Users or Customers provide video, audio recordings, images, or other Personal Information of one or more individuals, we rely on that User or Customer to obtain the explicit consent of those individuals. You can choose not to provide us with certain information, although that may affect the functionality of the Services.

A.1 Google User Data

From time to time, Customers may import and upload Media to the Website or Services directly from the Google drive. While we permit this, we want you to understand that when you provide any such Media to the Website or Services, we may gain access to, collect, and process certain data associated with that Media. This includes but is not limited to: (1) Contents of the Media, such as the actual contents of the uploaded Media including its audio and visual components; (2) Metadata, such as the technical specifications (file format, resolution, size, device used to capture the Media, and software or application used to create the Media, etc.), descriptive elements (title, file name, and keywords, etc.), administrative information (author name or username, copyright information, and the date and time the Media was uploaded or created, etc.), and usage metrics (views, interactions, and user engagement, etc.); and (3) Connected Data, which may include any other data directly or indirectly related to the imported or uploaded Media. Please note that any data collected by us pursuant to this clause will be processed, stored, used, and shared in the same manner and for the same purposes as other information that is subject to this Privacy Policy.

Google’s use and processing of Personal Information is governed by the Google Privacy Policy, available at:

https://policies.google.com/privacy?hl=en-US

B. Information Collected Automatically

Whenever you interact with any of our Websites or Media, we automatically receive and record information on our server logs from your browser including data related to Media viewing, listening to, or accessing (including when you stop and start Media, how many and which Media of a particular Customer you watched, and how many times you watched, listened to, or accessed particular Media), data related to use of Services, IP address, device, “cookie” information, and the page you requested.

An “IP address” is a number assigned to a computer by an Internet service provider “ISP” to access the Internet. In most consumer cases, an IP address is dynamic (changing each time connect to the Internet), not static (unique to a particular user’s computer).

“Cookies” are small text files placed to your computer or mobile device to recognize your browser or mobile device and customize the look and feel of a website for you. Cookies remember information about you, your preferences, and your device for a better user experience. Wistia does not collect any information about you, your preferences or your device using Cookies. If you click on a link to a third party website, such third party may transmit cookies to you. This Privacy Policy does not cover the use of cookies by any third parties.

C. E-mail and Other Communications

We may contact you, by email or other means; for example, we may communicate with you about your use of any of the Websites. When we do this, we may receive a confirmation when you open an email from us. This confirmation helps us make emails more interesting and improve our service.

If you do not want to receive email or other mail from us, please indicate your preference by visiting our email preference page. Please note that if you do not want to receive legal notices from us, those legal notices will still govern your use of the Websites, and you are responsible for reviewing such legal notices for changes.

D. Information Purchased from Third Parties

Wistia may purchase from third parties, like Clearbit, Personal Information about Users who provide their email address or register for the Services, using the Personal Information those Users provide as the basis to obtain further Personal Information. This information may include names, titles, companies, and firmographic information. Wistia may retain YouTube API Services to provide aggregate, statistical information about the access to, views of, and use of Media that Customers post to YouTube. Personal Information generated automatically by your access to, views of, and use of Media may be aggregated and included in that statistical information.

E. Special Categories of Personal Information

In certain situations, Users may provide information to user profile or upload video, audio recordings, images, or other contact to a Website that may reveal certain limited types of Personal Information that is of a sensitive nature (Sensitive Personal Information), including information about the following: (1) Personal Information revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, or trade union membership, (2) data concerning health, and data concerning a natural person’s sex life or sexual orientation. (3) financial information, and your geographic location. In such cases, we may process Sensitive Personal Information to provide Services to Users who provided such information. For purposes of this Privacy Policy, Sensitive Personal Information is considered to be a special category of Personal Information.

Where we collect and use such information as a controller (as defined in the GDPR), we will provide you with a form explaining the collection of such Personal Information and requesting your explicit consent. Where we collect and use such information as a processor (as defined in the GDPR), we rely on the controller to obtain your explicit consent.

F. Sensitive Personal Information

Wistia may collect Sensitive Personal Information, as defined under the CPRA and PIPEDA, in the form of your financial information, messages sent via the Services, and your geographic location.

G. Personal Information Wistia Has Collected in the Last 12 Months

Wistia has collected the following categories of Personal Information in the 12 months immediately preceding the Effective Date of this Privacy Policy, listed at the bottom of this document: names; contact information; payment information; IP addresses; geographic location (inferred from IP addresses, as described in Section III below); browser information; device information; information related to the use of the Websites, Media, and Services; email confirmations; user name or e-mail address in combination with a password that would permit access to the Services; the content of communications; user profile information and submissions; job titles; employers; and firmographic information. Please see the other portions of Section II above for an explanation of the categories of sources from which we collect the information described in the previous sentence. The business purposes of this information are described in Section III below. The categories of third parties we share this information with are described in Section IV.

III. What Does Wistia Do With Personal Information?

A. Use of Personal Information

Wistia uses all categories of Personal Information listed above for any and all legal and legitimate businesses purposes, including:

  1. To personalize and improve our Services, to administer and improve our Media and Websites;
  2. To allow Users to set up their user accounts and profiles;
  3. To communicate with Users and fulfill your requests for certain products and services;
  4. To understand how Users utilize the Websites; Media, and Services
  5. To protect user accounts with user names or e-mail addresses in combination with passwords;
  6. To process payments to Wistia;
  7. To infer your geographic location;
  8. To operate, maintain, develop, and grow Wistia.

At times, we may anonymize your Personal Information so that you cannot be individually identified, and provide that information to our partners. For example, if you have provided your email address or other Personal Information while accessing Media, we may anonymize that Personal Information when providing Media usage information to our partners.

When we collect IP addresses, geographic location, browser information, device information, information related to the use of the Websites, Media, and Services, we may also use such information in two ways.

  1. First, we may use such information in aggregate form (including the aggregate statistical information obtained from YouTube API Services), and not in a manner that would identify you personally. For example, this aggregate information tells us how often Users use parts of a Website, so that we can make such Website appealing to as many Users as possible.
  2. We may also provide this aggregate information (including the aggregate statistical information obtained from YouTube API Services) to our partners; our partners may use such information to understand how often and in what ways people use our Websites, so that they, too, can provide you with an optimal experience. In addition, we may also provide Customers with the information listed above so that they may (i) assess, improve, and develop the Media that they make available through the Websites and Services, and (ii) use their Media to maintain and grow their organizations. Such information may include how many and which Media of a particular Customer was watched by a particular user, from where particular Media was watched, listened to, or accessed by a particular user and how many times particular Media was watched, listened to, or accessed by a particular user.

B. Storage of Personal Information

We store and process all electronic Personal Information that we collect in the United States.

IV. Will Wistia Share Any of the Personal Information it Collects?

We share your Personal Information with third parties as described below.

A. Customers

As mentioned above, we may provide Customers with certain identifiable usage information directly related to the Media that such Customers make available through the Websites and Services. Such information may include IP addresses, geographic location, browser information, device information, and information related to the use of the Websites, Media, and Services (such as how many and which Media of a particular Customer was watched by a particular user, from where particular Media was watched, listened to, or accessed by a particular user and how many times particular Media was watched, listened to, or accessed by a particular user). We may also share names, contact information, geographic location, the content of communications, user profile information and submissions, job titles, employers, and firmographic information which Customers may use to market or further develop their organizations.

B. Affiliated Businesses and Third Party Websites We Do Not Control

In certain situations, businesses or third party websites we’re affiliated with may sell items or provide services to you through a website (either alone or jointly with us). You can recognize when an affiliated business is associated with such a transaction or service, and we will share your Personal Information with that affiliated business only to the extent that it is related to such transaction or service. We have no control over the policies and practices of third party websites as to privacy or anything else, so if you choose to enter into such transaction or to receive such service, please review the applicable third party websites’ policies.

C. Agents and Service Providers

We employ other companies and people to perform tasks on our behalf and may need to share your Personal Information with them to provide products or services to you, for example, processing credit card payments. Unless we tell you differently, our agents and service providers do not have any right to use the Personal Information we share with them beyond what is necessary to assist us. We acknowledge our potential liability if our agents misuse your Personal Information.

D. YouTube

Some Customers post Media to YouTube. If you use, view, listen to, or otherwise access such Media on YouTube, YouTube will have access to Personal Information you generate by using, viewing, listening, or accessing that Media, which is then used by YouTube API Services to generate the aggregated statistical information Wistia collects from YouTube API Services, as described in Section II.D of this Privacy Policy. YouTube’s use of Personal Information is governed by the Google Privacy Policy, available at http://www.google.com/policies/privacy.

E. User Profiles and Submissions

Certain user profile information, including, without limitation, a user’s name, location, and any video, audio recordings, images or other content that such user has uploaded to a Website, may be displayed to other Users to facilitate user interaction within such Website or to address your request for Wistia’s services. Your account privacy settings allow you to limit the other users who can see the Personal Information in your user profile and/or what information in your user profile is visible to others. Any content you upload to your public user profile, along with any Personal Information or content that you voluntarily disclose online in a manner other users can view (on discussion boards, forums, in messages and chat areas, etc.) becomes publicly available, and can be collected and used by others. Your user name may also be displayed to other users if and when you send messages or comments or upload video, audio recordings, images, or other content through the Website and other users can contact you through messages and comments.

F. International Transfers of Personal Information

If and to the extent Wistia transfers Personal Information from another country into the United States, Wistia does so in compliance with the Privacy Laws of the originating country and for purposes outlined in this Privacy Policy. If and to the extent we transfer Personal Information of individuals in the EEA, Switzerland or the UK to the United States, we do so under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. In addition, we also implement the Standard Contractual Clauses (approved by the European Commission and Swiss authorities) and the UK Addendum to the Standard Contractual Clauses (approved by the UK authorities) where appropriate. If you have any inquiry regarding our adherence to the Data Privacy Framework, see section XIV below, or contact us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

G. Business Transfers

We may choose to buy or sell assets. In these types of transactions, Personal Information is typically one of the business assets that is transferred. Also, if we (or substantially all of our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Information would be one of the assets transferred to or acquired by a third party.

H. Protection of Wistia and Others

Wistia will disclose any Personal Information that Wistia reasonably believes is necessary or appropriate to comply with law or court order, enforce or apply Wistia’s Privacy Policy, Terms of Use, and other agreements, or protect the rights, property, or safety of Wistia, our employees, our customers, our users, the public, or others. This includes disclosing Personal Information to third parties for fraud protection and credit risk reduction. In addition, in certain situations, Wistia may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Wistia will notify you of any such requests unless prohibited by law.

Except as set forth above, we will obtain your consent before disclosing your Personal Information to a third party.

J. Personal Information Wistia Has Sold to Customers in the Last 12 Months

The CCPA (as amended by the CPRA) defines the sale of Personal Information very broadly. In the traditional sense, Wistia does not sell Personal Information, however we disclose certain Personal Information to our Customers as part of the Services and the hosting of Media we provide to them. As part of our commercial relationships with our Customers, Wistia has disclosed the following categories of Personal Information to Customers in the 12 months immediately preceding the Effective Date of this Privacy Policy, listed at the bottom of this document: names; contact information; IP addresses; geographic location; browser information; device information; information related to the use of the Websites, Media, and Services; the content of communications; user profile information and submissions; job titles; employers; and firmographic information.

K. Personal Information Wistia Has Disclosed to Third Parties in the Last 12 Months

In the 12 months immediately preceding the Effective Date of this Privacy Policy, listed at the bottom of this document, Wistia has disclosed the following categories of Personal Information to third parties that provide business and operational services to us: names; contact information; payment card information; geographic location; IP addresses; browser information; device information; information related to the use of the Websites, Media, and Services; email confirmations; user name or e-mail address in combination with a password that would permit access to the Services; the content of communications; user profile information and submissions; job titles; employers; and firmographic information.

VI. How Long Does Wistia Retain Your Personal Information?

Except upon the request of an individual, as explained in Section VII below, and except as the law permits and requires, Wistia maintains Personal Information as follows:

A. Logs of unknown users of the Websites are retained for 30 days before deletion.

B. Logs of known users of the Websites are retained while Wistia has reason to believe that particular user may return to use the Websites.

C. Emails submitted and used for marketing are retained while Wistia pursues relevant marketing efforts.

D. Media is hosted and stored for the life of the relevant Customer account, plus up to three years.

Other than as listed above, we will determine the retention period for Personal Information based on the following criteria:

  1. The nature of our relationship with the relevant Customer;
  2. The existence of other ongoing or expected projects with the relevant Customer;
  3. The nature of the Personal Information in question; and
  4. Our business needs.

VII. What Are Users’ Rights to Control Their Personal Information?

Except where permitted or required by Privacy Laws, you have the following rights regarding Wistia’s collection and use of your Personal Information.

A. Requests to Wistia

You may request the following from Wistia with respect to your Personal Information:

  1. The correction and updating of your Personal Information;
  2. The restriction and deletion of select portions of your Personal Information or all Personal Information;
  3. The categories of Personal Information Wistia has collected about you;
  4. The categories of sources from which Wistia has collected your Personal Information;
  5. The expected period for which the Personal Information will be stored, or, if not possible, the criteria used to determine the retention period;
  6. The business or commercial purpose(s) for collecting, sharing, and disclosing your Personal Information;
  7. An account of how Wistia has used or is using your Personal Information;
  8. A copy of your Personal Information retained by Wistia, to be delivered in a structured, commonly used and machine readable format to review or to transfer or transmit to another entity without hindrance, to the extent that that is technically feasible;
  9. The categories of third parties with whom Wistia shares your Personal Information;
  10. The categories of your Personal Information that we have shared with third parties, including customers, and the categories of third parties to which we have shared each particular category of Personal Information;
  11. The Personal Information Wistia collects, uses, discloses, and sells;
  12. A list of all third parties that have received your Personal Information from Wistia; and
  13. The specific pieces of Personal Information Wistia has collected about you.

If you request that your Personal Information be erased or deleted or that Wistia otherwise restrict its collection and use of Personal Information, Wistia may not being to avoid terminating or limiting your access to the Websites, Media, and Services.

If Wistia has not collected or used your Personal Information, or has not disclosed your Personal Information to another party, Wistia will inform you of that in response to any of the above requests.

Some information may remain in Wistia’s backup media after erasure or deletion for a period of time. When you request that Wistia update information, Wistia may retain a copy of the unrevised information in Wistia’s records. Wistia also may use any anonymized aggregated statistical data derived from or incorporating Personal Information after it is updated, erased, or deleted, but not in a manner that would identify you.

We will confirm receipt of all such Personal Information requests and provide information about how Wistia will process the request within 10 days of receipt. We will substantively respond to all such requests within 30 days, subject to lawful extension of that period, and there may be a delay in processing a request while we verify that the request is valid and originates from you as opposed to an unauthorized third party.

Our verification process varies based on the source and nature of the request, but may include: comparing data in the request against Personal Information we retain; contacting you using other contact information; requesting further information, although we will avoid doing so to the extent possible; and the consideration of certain factors, including the type, sensitivity, and value of your Personal Information, the risk of harm to you posed by an unauthorized request, the likelihood that fraudulent or malicious actors would seek your Personal Information, the manner in which we interact with you, the available technology, and whether the information you have provided to verify your identity is sufficiently robust to protect against fraudulent requests. To the extent permitted by the Privacy Laws, Wistia retains the right to deny any request if we cannot verify that it originated from you.

Wistia retains records of all of the above requests and our responses for 24 months, unless otherwise prohibited by the Privacy Laws.

With regard to the right to be forgotten online, Wistia will take reasonable steps to inform our Third Parties of your request. In order to make any of the requests above,

or by contacting us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

  • All other of the above requests may be made by contacting us at the following link:

https://wistia.com/data-request

Or by sending requests to:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

When you update information, we may maintain a copy of the unrevised information in our records. Please note that some information may remain in our private records after your deletion of such information from your account. We may use any aggregated data derived from or incorporating your Personal Information after you update or delete it, but not in a manner that would identify you personally.

B. YouTube API Services

If you create and log into a Wistia account using a username or email and password combination, you can revoke Wistia’s access to the information Wistia obtains from YouTube API Services that is derived from your use of the Services and access to Media. You may exercise this right at the Google security settings page, https://security.google.com/settings/security/permissions.

You may withdraw your consent at any time by visiting our Privacy & Data Requests page at https://wistia.com/data-request or by contacting us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

Please be aware that such withdrawal does not affect the lawfulness of Wistia’s use of your Personal Information before such withdrawal. If your consent is withdrawn, Wistia may not being to avoid terminating or limiting your access to the Websites, Media, and Services.

D. “Do Not Sell or Share My Personal Information”

Wistia does not sell Personal Information as the CCPA (as amended under the CPRA) defines “sell,” but your Personal Information is shared as described in Section IV above. You may opt out of Wistia’s disclosure and sharing of your Personal Information to Customers and other Third Parties by visiting our Privacy & Data Requests page at https://wistia.com/data-request or by contacting us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

We will act upon any request to opt out of all sales of your Personal Information within 15 days of receiving your request. We will notify all Customers to whom we have disclosed your Personal Information of your request within 90 days of receiving your request and will inform you when we have done so. If you exercise your right to opt out of the disclosure of your Personal Information to Customers, Wistia will cease disclosing your Personal Information to Customers as of the date Wistia receives the form at the link above.

Wistia will not contact you about opting in to disclosing your Personal Information for at least 12 months following receipt of the form.

Please see Section VIII for an explanation how opting out of the disclosure of your Personal Information to Customers may affect service differences offered by Wistia.

E. “Limit the Use of My Sensitive Personal Information”

As described in Section II, we do not knowingly collect Sensitive Personal Information under any of the Privacy Laws, with the exception of messages sent via the Services, your geographic location, and certain financial information that may be collected during the payment process.

You may contact Wistia to request that Wistia limits its use of this Sensitive Personal Information at any time. Doing so may impact certain functions of the Services, including your ability to have ongoing subscriptions with us, allowing other Users to read your messages, and functions that are geographically-based.

To request that Wistia limit its use of your Sensitive Personal Information, please visit our Privacy & Data Requests page at https://wistia.com/data-request or contact us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

We will act upon any request to limit your Sensitive Personal Information within 15 days of receiving your request.

F. Authorized Agent

You may authorize an agent to take any of the acts permitted in this Section VII on your behalf. To do so, you must provide written and signed authority to the agent, and written and signed notice to Wistia that Wistia may act on such requests by that agent.

G. Requests Regarding Media

Wistia does not collect, process, use, disclose, share, or sell Personal Information from the Media created and distributed by our Customers, e.g., images, voice recordings, etc. If you have any questions regarding the Personal Information contained in particular Media, please contact the party that created or distributed that Media.

H. Object or Challenge

You may object to, or otherwise challenge, Wistia’s collection and use of your Personal Information by visiting our Privacy & Data Requests page at https://wistia.com/data-request or by contacting us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

Wistia will respond within 30 days. Where such objection is received from an individual whose Personal Information Wistia collects and uses as the processor for a controller (as those terms are defined in the GDPR), Wistia will inform the controller of the objection within 30 days.

I. Filing a Complaint

Regulatory authorities that oversee the Privacy Laws typically advise individuals to file an objection or challenge with the company before lodging a formal complaint with a regulatory authority. Please contact us as outlined in the Contact Information section of this Privacy Policy for any complaints and inquiries. We appreciate the opportunity to discuss and solve your complaint.

If you are dissatisfied with Wistia’s response or you wish to file a complaint with a regulatory authority first, please contact the appropriate agency below:

J. Accessibility for Users with Disabilities

If you are unable to review this Privacy Policy or any portion of this Policy, please use the following information to contact us and request an alternative format.

Visit our Privacy & Data Requests page at https://wistia.com/data-request or by contact us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

K. Non-Discrimination

Wistia will not discriminate against you because you have exercised any of the rights above or any other rights you retain pursuant to Privacy Laws, including, but not limited to by:

  1. Denying goods or services to you;
  2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  3. Providing a different level or quality of goods or services to you; and
  4. Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Consistent with Privacy Laws, Wistia: (i) retains the right to charge you a different price or rate, or provide a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to Wistia by your Personal Information; (ii) may offer financial incentives, including payments to you as compensation, for the collection, disclosure, or deletion of your Personal Information; (iii) may enter you into a financial incentive program only if Wistia clearly describes the material terms of the financial incentive program, so long as you give Wistia prior opt-in consent, which you may revoke at any time; and (iv) shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature. Please see Section VIII for an explanation of Wistia’s service differences.

VIII. What Are Wistia’s Service Differences?

Wistia does not offer any financial incentives for providing your Personal Information. However, there are some service differences when users create an account and provide the necessary Personal Information to do so.

Although much Media and parts of the Services may be used and accessed without providing your Personal Information, other Media, portions of Media, and parts of the Services require users to create and log in to a Wistia account. In doing so, you will provide us with a user name or e-mail address and a password. In return we will permit access to Media and Services that are not viewable or accessible to anonymous users. By creating and logging into an account, you will provide your name and contact information, in addition to your username or email and password combination. Per the terms of this Privacy Policy, you will also permit Wistia to automatically collect, use, and share IP addresses, browser information, device information, and information related to the use of the Websites, Media, and Services. Wistia will also collect, use, and share any information you voluntarily provide in your communications to us, your user profile, and other user-generated submissions and content, consistent with the terms of this Privacy Policy.

Consistent with the CCPA, this service difference represents Wistia’s good-faith calculation of how one individual’s Personal Information increases the value of the data we provide to Customers, on average. We calculate this value in conjunction with Customers by comparing the utility of the data collected anonymously against the utility of the Personal Information collected from identified users.

Once you have opted in to this incentive program by creating an account, you may opt-out of this incentive program at any time by deleting your account and/or contacting us:

Visit our Privacy & Data Requests page at https://wistia.com/data-request or by contact us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

In light of the value Wistia derives from your Personal Information, if, after creating a Wistia account, you exercise your right to request that Wistia delete your Personal Information or to opt out of the sale of your Personal Information, you will not be able to access some Media and parts of the Services, as described above, because we will not be able to provide that Personal Information to our Customers. However, other requests to exercise your data privacy rights that do not affect Wistia’s ability to provide data to our Customers will not affect such access.

IX. Is Personal Information About Me Secure?

We employ appropriate administrative, organizational, technical, and physical measures to protect your Personal Information, which we regularly review and update as necessary.

Your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

We endeavor to protect the privacy of your account and other Personal Information we hold in our records, but we cannot guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time.

The Websites may contain links to other sites. We are not responsible for the privacy policies and/or practices on other sites. When following a link to another site you should read that site’s privacy policy.

X. Children’s Privacy

Except when providing the Services to Schools that provide educational and tutoring services to Students, we do not knowingly collect or solicit Personal Information from anyone under the age of 16 or knowingly allow such persons to register for the Services. For further information regarding our treatment of Personal Information of Students collected while providing the Services to please see our Schools & Students Privacy Policy Addendum. Otherwise, if you are under 16, please do not attempt to register for the Services or send any information about yourself to us, including your name, telephone number, or email address. No one under age 16 may provide any Personal Information to us or through the Services except when doing so as part of receiving educational or tutoring services from a School.

In the event that we learn that we have collected Personal Information from a child under age 16 without the involvement of a School or without verification of parental consent, we will delete that information as quickly as possible, except as provided below. If you believe that we might have any information from or about a child under age 16 who did not provide such information through a School’s use of the Services, please contact us:

Visit our Privacy & Data Requests page at https://wistia.com/data-request or by contact us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

Except for Students’ Personal Information obtained while providing the Services to a School, upon request, we will provide a parent or guardian who has provided proper identification with the following: (1) a description of the specific types of Personal Information collected from the child, (2) the opportunity to refuse or permit Wistia’s further collection and use of Personal Information from the child, and (3) a reasonable means for the parent or guardian to obtain any Personal Information collected from the child. If a parent or guardian does not permit Wistia’s continued collection and use of a child’s Personal Information, Wistia will delete the child’s Personal Information and terminate the account of the child, as applicable.

XI. Contractual or Statutory Requirement

Except as noted in this Privacy Policy or in contractual documents, Wistia’s collection and use of Personal Information is not a contractual or statutory requirement or a requirement necessary to enter into a contract.

XII. Failure to Provide Personal Information

You can always opt not to disclose information to us, but keep in mind some information may be needed to register with us or to take advantage of some of our special features.

XIII. Automated Decision Making

Wistia does not rely on automated decision making, including profiling, and will not subject you to decisions based solely on automated processing which will produce legal effects concerning you or similarly significantly affecting you.

XIV. Data Privacy Framework

Wistia complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce (collectively, the “Data Privacy Framework”) with respect to Personal Information we process from the EEA, the UK or Switzerland and transfer to the United States. Wistia has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Information received from the European Union and the United Kingdom (and Gibraltar) in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Wistia has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/. The Federal Trade Commission has jurisdiction over Wistia’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

A. Liability for Onward Transfers

We remain responsible and liable for the Personal Information that we receive under the Data Privacy Framework and subsequently transfer or disclose to third parties for external processing on our behalf, as described in section IV of this Privacy Policy. Wistia shall remain liable under the DPF Principles if such third parties process Personal Information in a manner inconsistent with the DPF Principles, unless Wistia proves that it is not responsible for the event giving rise to the damage.

B. Compelled Disclosure

In certain situations, Wistia may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Wistia will notify you of any such requests unless prohibited by law.

C. Recourse Mechanism and Binding Arbitration

In compliance with the Data Privacy Framework, we commit to resolve DPF Principles-related complaints about our processing of Personal Information. EU, UK, and Swiss citizens with inquiries or complaints regarding our processing of Personal Information received in reliance on the Data Privacy Framework should first contact Wistia. In the event such complaints concerning our processing of Personal information received in reliance on the Data Privacy Framework remain unresolved, EU, UK, and Swiss citizens may refer such unresolved complaints to BBB National Programs, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers for more information or to file a complaint. The services of BBB National Programs are provided at no cost to you.

In case your complaint indicates a violation of obligations under the DPF Principles and your complaint cannot be resolved directly with Wistia, or through the independent dispute resolution mechanism, you may have the right to invoke binding arbitration under certain circumstances. For additional information on this option, please see Annex I of the Data Privacy Framework.

D. Periodic Review and Verification

Wistia will renew its Data Privacy Framework certification annually, unless we subsequently determine that we no longer need such certification or employ a different adequacy mechanism. Prior to such re-certification, Wistia will conduct a self-assessment to ensure that our attestations and assertions with regard to processing of Personal Information is accurate and that Wistia has appropriately implemented these practices.

XV. Changes to this Privacy Policy

We may amend this Privacy Policy from time to time. Use of information we collect now is subject to the Privacy Policy in effect at the time such information is used. If we make changes in the way we use Personal Information, we will notify you by posting an announcement on our Website or sending you an email. You are bound by any changes to the Privacy Policy when you use the Website or the Services after such changes have been first posted.

XVI. Questions or Concerns; Contact Information

If you have any questions or concerns regarding our privacy policies, please contact our data protection officer by sending detailed message to [email protected]. Alternatively, you may contact us by postal service as follows. We will make every effort to resolve your concerns.

Visit our Privacy & Data Requests page at https://wistia.com/data-request or by contact us at:

Attention: Data Protection Office\ Wistia, Inc.\ 120 Brookline Street\ Cambridge, Massachusetts, 02139 USA\ (888) 494–7842\ [email protected]

Effective Date: