Data privacy is taken very seriously around the world, and some jurisdictions require specific terms to be documented between data controllers and data processors, typically in the form of a Data Processing Agreement (DPA). Our DPA sets out the way we process customer personal data at Dovetail and helps our customers meet onward transfer requirements under applicable laws (such as the GDPR, CCPA, UK GDPR, and LGPD).
For more details regarding Dovetail's compliance with applicable privacy laws, please examine the sections below along with our Trust Center.
The General Data Protection Regulation (“GDPR”) is the most significant change to European data privacy legislation in the last 20 years and went into effect on May 15, 2018. The GDPR is designed to give European Union (“EU”) citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law.
Dovetail has made information security and data privacy foundational principles of everything we do, and we recognize the importance of adhering to regulations to advance information security and data privacy for citizens of the EU. This FAQ is designed to help Dovetail customers and users understand, and where applicable, comply, with the GDPR.
We appreciate that our customers have requirements under the GDPR that are directly impacted by their use of our Services. Below are several GDPR initiatives that have been implemented across our Services:
Investment in security – We’ve increased our investment in security. This includes implementing dependency vulnerability detection, improved auditing and logging across all services, new internal security policies, staff security training, improved password and secret management, 2FA enforcement, stronger password policies, and more.
Employee training – We ensure our team are trained in handling customer data and personal information, and that they maintain the confidentiality and security of that data.
Updated terms – We have updated the structure and language used in all of our terms and policies to more clearly communicate what information we collect, what we use it for, who we share it with, what your rights are, and more.
Data Processing Agreement – We support the EU’s Standard Contractual Clauses through a Data Processing Agreement that you can sign and return to us.
Data Sub-Processors – We list all of our third-party data sub-processors and share information on what we use them for and where they are located.
Data Subject Access Request procedure – We’ve streamlined our Data Subject Access Request procedure and documented the procedure on our website.
Data portability – We’ve improved our data export features so customers may export customer data and personal information in a machine-readable format at any time.
EU data storage – You can choose to host certain data you upload to your Dovetail workspace in our data center located in Ireland.
We appreciate that we are entrusted with valuable and sometimes sensitive user research data, which is why we have built security into every layer of our architecture, pursuing a ‘privacy by design’ approach to the design and development of our Services.
Our application is built on world-class, modern cloud infrastructure designed to ensure the safety of your data. We have carefully chosen proven third-party cloud providers that have a great security track record, and we employ best practices, including regular backups, data encryption, sanitized logging, and common attack prevention.
Read more about our security practices.
We offer customers a robust international data transfer framework as a part our Data Processing Agreement (“DPA”). This addendum ensures that our customers can lawfully transfer personal data to our Services outside of the European Economic Area by relying on the Standard Contractual Clauses. Our DPA also contains specific provisions to assist customers in their compliance with the GDPR.
We help you honor your customers’ requests to export their data. Dovetail provides data portability and data management tools for exporting product and user data.
We also help customers meet obligations under the GDPR ‘right to be forgotten’ (or ‘right to erasure’) clause by making it easy to request the deletion of personal data from Dovetail. For more information on this procedure, see Data Subject Access Request.
Your privacy is important to us, and so is being transparent about how we collect, use, and share your information. In our Privacy Policy, we share what information we collect, how we use and store that data, and how you can access and control your information.
The following resources might prove useful:
The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them.
Dovetail does not currently meet the criteria described that would have the CCPA apply to our business operations. Namely because we do not:
Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or
Derive 50% or more of our annual revenue from selling California resident's personal information.
However, we understand that some Dovetail customers may want to ensure that their use of our services, and any California resident's personal information that we process on behalf on our customers, is compliant with their own obligations under the CCPA.
This page helps to clarify how we process any personal information obtained from the Services on behalf of our customers as it relates to the CCPA.
You do not sell personal information to us. We will not:
sell any personal information;
retain, use, or disclose the personal information for a commercial purpose, other than for providing the Services, as further described in our Master Subscription Agreement and in our Privacy Policy; and
further retain, use, or disclose the personal information except for business purposes or as otherwise authorized by the CCPA.
We will provide reasonable assistance to you in facilitating compliance with consumer rights requests.
On termination, you have the option to request the return or deletion of personal information. This request must be made within 30 days of termination. We will make the data available for download by you in a machine readable format. Thereafter we will permanently delete the personal information from the live systems in any event.
Following permanent deletion from the live systems, partial data resides on the our archival and backup systems for a period of up to 14 days.
For more information, please read our data retention documentation.
We will ensure that all employees, agents, officers and contractors involved in the handling of personal information are aware of the confidential nature of the personal information and are contractually bound to keep the personal information confidential.
For more information, please read about our employee confidentiality agreements.
As an Australian-based business, our information security and data privacy practices and policies are also guided by applicable Australian law, namely the Australian Privacy Act 1988 (Cth). The APA includes some similar requirements to the GDPR, such as fostering transparent information handling practices and business accountability to give individuals confidence that their privacy is being protected, requiring businesses to implement measures that ensure compliance with a set of privacy principles, and taking a ‘privacy by design’ approach to compliance.
The Australian Privacy Principles are a cornerstone of the Privacy Act, and govern standards, rights, and obligations concerning:
the collection, use and disclosure of personal information;
an organization or agency’s governance and accountability;
integrity and correction of personal information; and
the rights of individuals to access their personal information.
We have outlined below the measures we have taken to align our services and operations with the 13 Australian Privacy Principles (APPs).
We aim to manage personal information and in open and transparent way, with a clear Privacy Policy. We also have taken steps to detail the organizational technical and security measures we have put in place to safeguard how we manage personal information across our business.
There is no requirement for you to provide personal information when using our services or when communicating with us. Our services have been designed to give you full control over the information that you provide to us.
Through providing our services we may, at times, solicit personal information from you, such as when you create a user account for our services, complete profile information, contact us for support, or make a credit card payment. Solicitation of personal information does not remove your right to anonymity and pseudonymity as described in APP 2, except where is it deemed reasonably necessary.
Through your use of our services, there may be circumstances where you supply us with the personal information of your customers, or research participants (for example). This is personal information that is unsolicited by us and solely provided and held by you. Because the nature of our services relies on processing this information on your behalf, it is unreasonable for us to destroy or de-identify any unsolicited personal information that you provide to us through your use of the services as this would affect our ability to adequately provide the services to you. You are solely responsible for managing any personal information held by you and provided to us through your use of the services. Any unsolicited personal information that you provide to us is dealt in accordance with APPs 5–13 where applicable.
In circumstances where we collect personal information, we take steps to notify you about the purpose and circumstance of any collection. This is described in detail in our Privacy Policy.
We do not process or disclose personal information for any purpose other than to provide the services to you (our 'primary purpose'). We take technical and organizational measures to ensure that any entity authorized by us to process personal informational does so solely to the extent necessary to provide the services to you. Where disclosure is required by law, to the extent legally permitted, we will notify you of such disclosures.
From time-to-time we may use solicited personal information to communicate directly with you and our customers to advertise and promote improvements to our product and services. In these circumstances, we will always provide a facility for you to opt-out of receiving such communications. Upon request, we are able to provide a source for an individual's personal information used in direct marketing communications.
As part of providing our services, personal information may be disclosed through transfers to our services infrastructure that may be located in foreign countries, such as the United States. We publish a full list of our data subprocessors who we may disclose personal information to through our provision of the services to you.
We take reasonable steps to ensure that all overseas recipients of personal information will handle it in accordance with the APPs. In circumstances where an overseas recipient may not comply with the APPs, we take measures to ensure that the overseas recipient is subject to laws and binding schemes that have the effect of protecting information in a way that is substantially similar to the APPs, such as the Standard Contractual Clauses for data transfers under the GDPR.
We do not solicit the collection of government related identifiers through our provision of the services. We do not adopt any government related identifier in the design of our services.
We take reasonable steps to ensure that the personal information we collect is accurate, up-to-date and complete. To help maintain the quality of personal information, we have implemented a number of features and controls within the services to give you the ability to review, manage, and maintain the personal information that we collect about you.
We actively take measures to ensure the security of personal information that we hold. We have implemented a number of technical and organizational security measures to protect information from misuse, interference and loss, as well as unauthorized access, modification or disclosure.
Where we hold personal information about an individual, we are committed to providing the individual access to that information on request. If we receive a request to access personal information related to your use of our services that is held by you then, to the extent legally permissible, we will advise the requester to submit the request to you. To the extent that you are unable to address a particular request, we will, upon your request and taking into account the nature of the personal information requested, provide reasonable assistance in addressing the personal information (provided we are legally permitted to do so and that you have verified the request in accordance with applicable privacy law).
We take reasonable steps to correct personal information and ensure that it is accurate, up-to-date, complete, relevant, and not misleading. To help correct the quality of personal information, we have implemented a number of features and controls within the services to give you the ability to review, manage, and maintain the personal information that we collect about you.
Give us feedback
Was this article useful?
Last updated 1 July 2025