👋🏽 We wrote a book! Order Wireframing for Everyone today →

Balsamiq

Toggle navigation

Privacy Policy


This Policy applies to all of Balsamiq websites, products and services, and any point of contact you might have with Balsamiq.

We define the following as our "Online Services":

  • The balsamiq.com website
  • Balsamiq Cloud
  • Balsamiq for Google Drive
  • Balsamiq for Confluence Cloud
  • Balsamiq for Jira Cloud
  • Balsamiq for ux.stackexchange.com
  • Balsamiq Trello Power-Up

We define the following as our "Licensed Products":

  • Balsamiq for Desktop
  • Balsamiq for Confluence Server
  • Balsamiq for Jira Server

This document is a sister-document to our EULAs & Terms of Service documents. Please make sure you read both carefully before accessing or using a Balsamiq Online Service or Licensed Product.


Our Commitment to Privacy

We have made a commitment to be good citizens. We consider protecting and respecting your personal information as an essential part of that responsibility.

This Privacy Policy describes the what, hows, and whys of collecting your information. To make it easy to find, we make it available on our homepage and at every point where we request personally identifiable information.

In this Privacy Policy, we sometimes refer to "you". "You" may be a visitor to one of our websites or offices, a user of one or more of our Online Services, or a purchaser of our Licensed Products. We’ll do our best to clarify who we are referring to at various points in the policy.

This Privacy Policy also describes your choices regarding how your data is used, and how you can access, update, or delete this information.

We only collect the minimum amount of personal information necessary to fulfill the purpose of your interaction with us; we keep it only for as long as we have valid reasons to keep it; we never sell or rent it to third parties; and we only use it as this Privacy Policy describes.

Our business model is a very traditional one: we provide products and services, and customers pay us for them. In other words, you are the customer, NOT the product.


Who We Are

Balsamiq is a small multi-national organization, based in Italy and the USA. We've been around since 2008 and are bootstrapped, profitable, and aim for longevity over growth. We believe in forming long-term relationships with our customers, our employees, and our communities. It all starts with trust.

Our Italian company (which does Research and Software Development) is Balsamiq SRL. Our tax identification number (P.IVA and C.F) is IT-02921031205.

Our US company (which primarily does Sales and Marketing) is Balsamiq Studios, LLC. Our Federal Tax Identification Number (EIN) is 26-2200095.

Balsamiq SRL fully owns Balsamiq Studios, LLC, and both are run by our founder and CEO Giacomo Guilizzoni (peldi@balsamiq.com).

In GDPR terminology, our two companies act as joint controllers.

We regard both Balsamiq SRL and Balsamiq Studios, LLC as part of one group and often our joint activities relate to the Balsamiq brand, and not an individual entity. Staff of both Balsamiq entities collaborate together on customer service, marketing, and other tasks. The essence of the joint controllers' agreement between the two is the following:

  • Both Balsamiq entities collaborate in joint processing activities related to all purposes mentioned in this policy.
  • We have established a single contact point for data subjects, as per this Privacy Policy.
  • Data subject requests are handled by both companies.
  • Our main EU establishment is located in Italy.
  • Balsamiq companies share data for internal administrative purposes.
  • Each Balsamiq entity may conclude agreements with processors also on behalf / for the benefit of the other Balsamiq entity.

  • Data We Collect and How We Use It

    Below is a complete description of data we collect, and what we do with the data. Every piece of information collected is done with a specific purpose, such as to provide our Services to you and to fulfill our legal obligations. If it's not listed here or in our EULA or Terms of Service, we don't do it.

    We call data that identifies — or that could reasonably be used to identify — you as an individual as "Personal Data."

    This data includes:

    • Contact details, such as name, email address, postal address.
    • Financial data such as credit/debit card number.
    • Other personal data, such as IP address, or your image and voice if you participate in a recorded meeting or event with us.

    You can find detailed information on how we keep your data safe in our Information Security page.

    Transaction and Billing Information

    When purchasing directly from Balsamiq we collect data from you in order to complete the transaction and provide you access to our Online Service or Licensed Product. To make it as secure as possible, your credit card information (including number, expiration date and CVC security code) is sent securely to our payment processor directly from your browser. The processor validates it and sends us a validation code we can use to finish the purchase.

    In the case of our Subscription Services (Balsamiq Cloud, and Balsamiq Wireframes for Google Drive) the processor stores your credit card information as well as your billing contact information in order to process your monthly or annual automatic renewals, or to allow you to upgrade or downgrade your subscription without re-entering a credit card number.

    We never have access to, nor store your full credit card information.

    The payment processor code we use also sets a cookie in your browser, to remember your info for future purchases. You can delete or block that cookie if you wish; our website will continue to work.

    We require you to enter your billing information. This data, as well as the last four digits of your credit card which is sent to us by our payment processor, is stored in our transaction database (which we call "Olio") in order to maintain our financial records. This information appears on your invoice, which can be accessed by anyone who has been sent the URL link to your invoice. We make the invoice links purposefully long and hard to guess for added security, and we prevent search engines from indexing them.

    We automatically email the public invoice link following the purchase to the email address(es) you have provided.

    The history of changes to the billing contact information on the invoice made by you or our team is logged and stored in Olio.

    As part of purchasing a Licensed Product directly from us (Balsamiq for Desktop or Atlassian Server Apps), you are requested to enter a License Name. This is usually a company name, but sometimes an individual's name is entered. This name is kept in Olio to maintain accurate purchase records.

    If we have issued you a free license or a trial license extension via email, we will have saved your email address in Olio along with the License Name we issued, which may be in a company or individual's name, depending on the case. We keep this data to track the software we have given out.

    Subscription Service records may include more than one billing contact. These email addresses and related billing contact information can be updated at any time and the history of changes is logged in Olio.

    Lastly, if you have purchased one of our Atlassian Apps for Jira or Confluence directly from the Atlassian Marketplace, Atlassian has offered us access to the billing records for purchases of our app. We import this data into Olio which includes limited Personal Data such as the technical and billing contacts' email address and names. This information is used to offer better support to customers by having all purchase records together, as well as for our accounting purposes. Data from Atlassian includes purchase price, but not details on the payment method. Atlassian is not responsible for the privacy, accuracy nor security of this data.

    The data we collect in Olio, including Personal Data, is not shared with third parties, except for the purposes of determining the validity of a payment. In this case we may share the name and email address associated with the purchase with the credit card holder, your company’s accounting department, or with our payment processor when responding to a chargeback.

    We only send emails to the email addresses we collect in Olio to communicate account activity such as purchase confirmation and subscription status (renewal, cancellation, etc.), and relevant product or company information (like a feature update).

    Personal Data for Online Services

    User Account Information

    For our Online Services that have the concept of a "User Account", we store your name, email address, and if you upload it, a photo to use as your avatar.

    We use this information to identify you as a user of the Online Service.

    Cookies

    For the Online Services where you have a separate User Account, we may use cookies to identify whether you have logged in. Therefore, your browser must be enabled to accept cookies from our Online Service's domain in order for you to use it.

    Passwords

    We store passwords only for Online Services with separate Balsamiq "User Accounts." We never store these passwords in the clear. No-one can see them. We either save them in our database using best-practice cryptographic hashing, or go through a 3rd party authentication provider (see below).

    It is your sole responsibility to keep your user name, password, and other sensitive information confidential. If you become aware of any unauthorized use of your account or any other breach of security, you must notify Balsamiq immediately.

    If you forget your password, we send you a secure link via email that lets you reset it.

    Balsamiq staff will never change a password for you, nor change the Owners (as defined in the Terms of Service) or Billing Administrators. Please refer to our documentation to learn how to assign or revoke these roles yourself.

    Exceptions

    For those Online Services that do not require a separate User Account:

    Atlassian Confluence and Jira apps: we do not store user data other than what is described in the Transaction and Billing Information section.

    Balsamiq Wireframes for Google Drive: we store the user's email address and ID to properly identify the Google account.

    A password is not required to use the following websites:

    • The balsamiq.com website
    • Balsamiq for ux.stackexchange.com

    Personal Data for Licensed Products

    Our Licensed Products do not "call home" unless in response to specific in-app user actions that require online access, like accessing our online documentation, registering Balsamiq for Desktop licenses, or playing background music.

    There is an optional Support Contact form that collects your name and email address when you email support from the app.

    The only other Personal Data we store for Licensed Products is related to the purchase transaction as described above.

    Personal Data Stored Inside Projects

    As described in the BMPR file format documentation, any time a user interacts with the Comments feature, their user ID, email address and name are stored inside the project database or file.

    Communication with Us

    If you send us an email to an address that ends in '@balsamiq.com', use one of the in-app contact forms, or use one of the online forms on our website balsamiq.com, or send us a crash report, we collect your name and email address and any additional information and documents you send us in your correspondence.

    We keep that data in our help desk software indefinitely. The customer interaction history helps us provide you with better customer service and helps us research how to improve our products and services.

    We also use this information to proactively contact you if we see from our logs that you're having an issue with our Services, or if we resolved an issue you reported. If you had expressed interest in them, or we think you might benefit from it, we also email you to notify you of beta programs or user research interviews.

    If you share with us a wireframe, file, image or video that includes Personal Data, we treat it according to this Privacy Policy. We keep it for the shortest amount possible and anonymize it if we can.

    Online Forms on Balsamiq.com

    We have various forms available on our websites. These forms capture your name, email address, and other information depending on which form you are using (newsletter, webinars, job applications, support requests, scheduling free online office hours, and others).

    We may keep some of this data indefinitely but you are always free to request us to delete it (see How to Access or Control Your Data below).

    Our emails to you will always include a link to unsubscribe.

    User Research

    We conduct different types of user research studies to uncover new ways of making Balsamiq better for our customers.

    The data we collect during research is confidential, and we don't share it outside our company.

    Whenever possible, we anonymize the data. We may use this anonymized data in our different publications.

    We delete personal data after each user research study is concluded, and never keep it for longer than 2 years. You can request to have your personal data deleted at any time.

    The Research Program allows us to have pre-qualified participants for studies and build richer relationships with them.

    Research Program members receive emails periodically, informing them about upcoming studies and research updates. You can unsubscribe to the update emails, but stay in the CAB. We keep your data in the CAB until you tell us you want to leave it.

    Company News Comments

    In order to submit a comment to our company news, we ask you to enter your name and email address, so that we can attribute the comment to you and so that we can get in touch if needed to help you with your question or comment. We store your email address in our Wordpress hosting provider.

    Visiting Our Online Services

    We use Google Analytics to help us in our marketing and product design efforts, but we only track aggregate and anonymized data. The Google Analytics code we use saves up to 4 cookies on your computer. You can delete or block those any time you wish, our website will continue to work.

    We collect the IP addresses of everyone who visits our site or uses our Services. This information is used for debugging and DDOS prevention, and kept in our logs for 2 weeks.

    Visiting Our Offices

    When visiting our offices, you might get photographed or recorded. We may use your image for security and marketing purposes.


    Third-Party Vendors

    In order to keep your Personal Data as secure as possible, we don't own any servers of our own. Instead, we rely on best-in-class third-party services to store your data more securely than what we would be able to do ourselves.

    Here's the list of third-party vendors we may share your information with, and links to their privacy policies:

    Vendor Purpose Entity Country Privacy Policy Link
    Airtable User Research Database USA Airtable Privacy Policy
    Amazon Web Services (AWS) Host our software and databases USA/Ireland AWS Privacy Policy
    Atlassian Confluence: store data from balsamiq.com online forms, as well as customer lists for beta programs, user research, and similar USA Atlassian Privacy Policy
    Avalara U.S. sales tax calculation and compliance USA Avalara Privacy Policy
    Google

    Google Workspace: Store customer emails, data from balsamiq.com online forms, customer lists for beta programs, user research, and similar.

    Google Analytics: Aggregate website visitor statistics

    Google Cloud: Host the software and database for our Balsamiq for Google Drive app

    USA

    Google Workspace Security and Trust

    Google Privacy Policy

    Google Cloud Platform Privacy Policy

    Help Scout Support Help Desk USA Help Scout Privacy Policy
    Help Scout Security
    Klaviyo Send customer product and marketing emails USA Klaviyo Privacy Policy
    Lookback Remote moderated and unmoderated usability testing USA Lookback Privacy Policy
    Pivotal Tracker User research notes USA Pivotal Tracker Privacy Policy
    GDPR and Data Security
    Postmark Transactional application emails USA Postmark Privacy Policy
    Postmark EU Data Protection
    Printful Swag store USA Printful Privacy Policy
    ProfitWell Provide analysis of Stripe data USA ProfitWell Privacy Policy
    ProfitWell Security
    Stripe Payment processor USA Stripe Privacy Policy
    Lyssna User Research Australia Lyssna Privacy Policy
    WPEngine Company News Blog Hosting USA WPEngine Privacy Policy
    WPEngine & GDPR Compliance

    How to Access or Control Your Data

    You have the right to request a copy of your information, to object to our use of your information, to request the deletion or restriction of your information, or to request your information in a structured, electronic format.

    Balsamiq Cloud gives you a way to access your personal information and correct it, via User Settings or a billing page.

    Most of our Online Services give you a way to download or delete your data at any time. Once you delete your data, unless specified otherwise, we keep it in our backups for up to 90 days, then destroy it with no way to recover it. For archival, support and/or bug fixing purposes, we may save your data for longer than 90 days.

    If you have any questions or concerns or would like to invoke your rights regarding your Personal Data, such as requesting a copy of your data or rectifying or deleting data, don't hesitate to email us at privacy@balsamiq.com.

    To protect your privacy and security, we will take reasonable steps to verify your identity before granting access or making corrections. We use this procedure to better safeguard your information. You can correct factual errors in your personally identifiable information by sending us a request that credibly shows error.

    We will respond as quickly as possible, and certainly within 30 days.

    In certain circumstances we may need to retain certain information for record-keeping purposes, to complete transactions or to fulfill obligations dictated by the law, including tax or regulatory requirements, or other lawful purposes.


    Data Security

    To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

    If we become aware of a data breach that affects your Personal Data, we will notify you (and the appropriate national supervisory authorities) within 72 hours.

    Our detailed Information Security information is here.

    Who Can See My Wireframes?

    The people you share them with, as described in our Online Service or Licensed Product's documentation.

    For the Balsamiq Services that have the concept of Owners (as defined in Terms of Service), they will be able to see your wireframes as well.

    For Online Services some Balsamiq employees will also have access, according to the following guidelines:

    • We restrict who at Balsamiq can access customer data to only senior members of the team, and never to outside parties.
    • We only access your wireframes in response to a customer support question, or to debug and fix an issue.
    • We never make changes to anything unless explicitly requested by an Owner.
    • We never share what we see with other customers, the general public, or the rest of the Balsamiq staff.
    • We might give access to government authorities if requested in writing. We’ll try not to, but we don’t have the resources to fight the government. We’ll also keep your Owners(s) informed as much as we can if this happens.

    Where Are My Wireframes Stored?

    • Balsamiq does not store nor have access to wireframe data of our Licensed Products. Users choose where to store their wireframes.
    • Balsamiq stores wireframes for Cloud until an account is deleted.
    • Google Drive, Confluence Cloud, and Jira Cloud integrations store a temporary copy of your projects on our servers. This is done to provide functionality, such as autosave and real-time-collaboration.
      • The data is regularly sent back to the platform for official storage (as a Google Drive file or as a Jira issue attachment). We keep this temporary data for 30 days. If there are errors sending it to the platform, we might keep the data for longer, as a backup. We do not permanently store or delete these wireframes.

    EU-U.S. Data Privacy Framework

    Balsamiq Studios, LLC* complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Balsamiq Studios, LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Balsamiq Studios, LLC, has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit the link here

    In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Balsamiq Studios, LLC, commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner's Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Balsamiq Studios, LLC, commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Balsamiq Studios, LLC at: privacy@balsamiq.com

    In certain situations, Balsamiq Studios, LLC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We remain liable for all the personal information we receive under the DPF and that we subsequently transfer to third parties acting as agents on our behalf if they process personal information in a manner inconsistent with the DPF principles, unless we prove we are not responsible for the event giving rise to the damage. With respect to personal data received or transferred pursuant to the EU-U.S. Data Privacy Framework, Balsamiq Studios, LLC is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (FTC). Under certain conditions, the EU-U.S. Data Privacy Framework provides the right to invoke binding arbitration when other dispute resolution procedures have not provided resolution. This is described in Annex I to the EU-U.S. Data Privacy Framework.

    *Only US-based entities are eligible to self-certify under the EU-U.S. Data Privacy Framework. Therefore, as an EU based entity, Balsamiq SRL does not need to self-certify under the EU-U.S. Data Privacy Framework in order to transfer data outside of the EU.


    Children's Privacy

    Protecting the privacy of the very young is especially important. For that reason, we rarely include photos of children on our social media. In the rare case that we do, explicit parental permission has been granted for this purpose. Furthermore, we never collect or maintain information on our Online Service or Licensed Products from those we actually know are under 16, and no part of our Online Service or Licensed Products are structured to attract anyone under 16. If we become aware that a child under 16 has provided us with Personal Data, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact us at privacy@balsamiq.com.


    Changes to this Privacy Policy

    We may change this privacy policy from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice by adding a notice on our homepage, product login screens, or by sending you an email notification. We also keep prior versions of this Privacy Policy in an archive for your review.


    Contact Balsamiq

    Should you have questions or concerns about our Privacy Policy, our practices, or any of our legal documents, please send us an e-mail at privacy@balsamiq.com.

    Balsamiq Studios, LLC
    1517 24th Street
    Sacramento, CA, 95816-6206

    Balsamiq SRL
    Via Romita 2/5
    40128 Bologna (BO)
    Italy


    Document History

    • 11 January 2024: Removed Mailchimp, no longer used.
    • 8 December 2023: Removed WireframesToGo.com, which is now integrated in the app.
    • 24 October 2023: Added EU-U.S. Data Privacy Framework information".
    • 30 August 2023: Updated deleted data retention period from "up to 60 days" to "up to 90 days".
    • 31 July 2023: Added Pivotal Tracker as a Third-Party Vendor.
    • 19 May 2023: Added Klaviyo and ProfitWell as Third-Party Vendors.
    • 5 Jan 2023: Added a note about us potentially emailing customers with relevant product information, and merged the Newsletter section into the "Online Forms" section.
    • 31 Aug 2022: Added Airtable and Lookback as Third-Party Vendors.
    • 8 Apr 2022: Added some wording about visiting our offices.
    • 21 Feb 2022: Removed Zoom Third-Party Vendor.
    • 4 Oct 2021: Added information about our in-app contact forms.
    • 19 Apr 2021: Added Zoom and UsabilityHub as Third-Party Vendors. Added information to further clarify the relationship between Balsamiq SRL and Balsamiq Studios, LLC as joint controllers.
    • 3 Feb 2021: Added Trello Power-Up.
    • 15 Dec 2020: Removed Sendgrid and YouCanBook.Me as Third-Party Vendors.
    • 9 Dec 2020: Removed myBalsamiq following its shutdown and removed PubNub as a Third-Party Vendor.
    • 12 Nov 2020: Updated Online Forms section to be more general, added note on Privacy Shield Notice to indicate our awareness of the recent ruling, and updated Third-Party Vendors list.
    • 2 Apr 2020: Added "Personal Data Stored Inside Projects" section, and mention of crash reports.
    • 21 Feb 2020: Added "User Research" section, clarified "Other Personal Data", and specified how we treat artifacts you send us that contain Personal Data.
    • 17 Jan 2020: Several updates to improve readability, clarify where wireframes are stored, how to invoke your rights, third-party vendors updates, and to clarify when Licensed Products may "call home".
    • 2 May 2019: Added note to comply with section 8.4(d) of the Atlassian Vendor Agreement, added more details to highlight the differences between our Online Services, and how they manage data.
    • 7 Nov 2018: Updated with Privacy Shield information.
    • 2 Aug 2018: Updated deleted data retention period from "7 days" to "up to 60 days".
    • 31 May 2018: Added Wireframestogo.com and UXApprentice.com, improved Children's Privacy section, added proactive support info, and fixed some typos.
    • 25 May 2018: major update to unify our separate privacy policies into one, and to add more detail as required by GDPR.
    • 2008_03_15_balsamiq_privacy_policy.pdf - published March 15, 2008.