Privacy Policy


Effective May 25, 2018. Document History

This Policy applies to all of balsamiq websites, products and services, and any point of contact you might have with Balsamiq.

We define the following as our "Online Services":

  • The balsamiq.com websites (balsamiq.com, docs.balsamiq.com, support.balsamiq.com, blog.balsamiq.com)
  • Balsamiq Cloud
  • Balsamiq for Google Drive
  • Balsamiq for Confluence Cloud
  • Balsamiq for Jira Cloud
  • myBalsamiq
  • Balsamiq for ux.stackexchange.com
  • Wireframestogo.com
  • UXApprentice.com

We define the following as our "Licensed Products":

  • Balsamiq for Desktop
  • Balsamiq for Confluence Server
  • Balsamiq for Jira Server

This document is a sister-document to our EULAs & Terms of Service documents. Please make sure you read both carefully before accessing or using a Balsamiq Online Service or Licensed Product.

Our Commitment to Privacy

We have made a commitment to be good citizens. We consider protecting and respecting your personal information as an essential part of that responsibility.

This Privacy Policy describes the what, hows, and whys of collecting your information. To make it easy to find, we make it available on our homepage and at every point where we request personally identifiable information.

In this Privacy Policy, we sometimes refer to "you". "You" may be a visitor to one of our websites, a user of one or more of our Online Services, or a purchaser of our Licensed Products. We’ll do our best to clarify who we are referring to at various points in the policy.

This Privacy Policy also describes your choices regarding how your data is used, and how you can access, update, or delete this information.

We only collect the minimum amount of personal information necessary to fulfill the purpose of your interaction with us; we keep it only for as long as we have valid reasons to keep it; we never sell or rent it to third parties; and we only use it as this Privacy Policy describes.

Our business model is a very traditional one: we provide products and services, and customers pay us for them. In other words, you are the customer, NOT the product.

Who We Are

Balsamiq is a small multi-national organization, based in Italy and the USA. We've been around since 2008 and are bootstrapped, profitable, and aim for longevity over growth. We believe in forming long-term relationships with our customers, our employees, and our communities. It all starts with trust.

Our Italian company (which does Research and Software Development) is Balsamiq SRL. Our tax identification number (P.IVA and C.F) is IT-02921031205.

Our American company (which primarily does Sales and Marketing) is Balsamiq Studios, LLC. Our federal tax identification number (EIN) is 26-2200095.

Balsamiq SRL fully owns Balsamiq Studios, LLC, and both are run by our founder and CEO Giacomo Guilizzoni (peldi@balsamiq.com).

In GDPR terminology, our two companies act as joint controllers, with main EU establishment in Italy.

Data We Collect and How We Use It

Below is a complete description of data we collect, and what we do with the data. If it's not listed here or in our EULA or Terms of Service, we don't do it.

We call data that identifies — or that could reasonably be used to identify — you as an individual as "Personal Data."

This data includes:

  • Contact details, such as name, email address, postal address.
  • Financial data such as credit/debit card number.
  • Other personal data, such as IP address.

You can find detailed information on how we keep your data safe in our Information Security page.

Transaction and Billing Information

When purchasing directly from Balsamiq we collect data from you in order to complete the transaction and provide you access to our Online Service or Licensed Product. To make it as secure as possible, your credit card information (including number, expiration date and CVC security code) is sent securely to our payment processor directly from your browser. The processor validates it and sends us a validation code we can use to finish the purchase.

In the case of our Subscription Services (Balsamiq Cloud, Balsamiq Wireframes for Google Drive, and myBalsamiq) the processor stores your credit card information as well as your billing contact information in order to process your monthly or annual automatic renewals, or to allow you to upgrade or downgrade your subscription without re-entering a credit card number.

We never have access to, nor store your full credit card information.

The payment processor code we use also sets a cookie in your browser, to remember your info for future purchases. You can delete or block that cookie if you wish; our website will continue to work.

We require you to enter your billing information. This data, as well as the last four digits of your credit card which is sent to us by our payment processor, is stored in our transaction database (which we call "Olio") in order to maintain our financial records. This information appears on your invoice, which can be accessed by anyone who has been sent the url link to your invoice. We make the invoice links purposefully long and hard to guess for added security, and we prevent search engines from indexing them.

We automatically email the public invoice link following the purchase to the email address(es) you have provided.

The history of changes to the billing contact information on the invoice made by you or our team are logged and stored in Olio.

As part of purchasing a License Product directly from us (Balsamiq for Desktop or Atlassian Server plugins), you are requested to enter a License Name. This is usually a company name, but sometimes an individual's name is entered. This name is kept in Olio to maintain accurate purchase records.

If we have issued you a free license or a trial license extension via email, we will have saved your email address in Olio along with the License Name we issued, which may be in a company or individual's name, depending on the case. We keep this data to track the software we have given out.

Subscription Service records may include more than one billing contact. These email addresses and related billing contact information can be updated at any time and the history of changes are logged in Olio.

Lastly, if you have purchased one of our Atlassian Plugins (Add-ons) for Jira or Confluence directly from the Atlassian Marketplace, Atlassian has offered us access to the billing records for purchases of our plugin (add-on). We import this data into Olio which includes limited Personal Data such as the technical and billing contacts' email address and names. This information is used to offer better support to customers by having all purchase records together, as well as for our accounting purposes. Data from Atlassian includes purchase price, but not details on the payment method.

The data we collect in Olio, including Personal Data is not shared with third parties, except for the purposes of determining the validity of a payment. In this case we may share the name and email address associated with the purchase with the credit card holder, your company’s accounting department, or with our payment processor when responding to a chargeback.

We only send emails to the email addresses we collect in Olio to communicate account activity such as purchase confirmation and subscription status (renewal, cancellation, etc.).

Personal Data for Online Services

Cookies

For the Online Services where you have to log in, we may use cookies to identify whether you have logged in. Therefore, your browser must be enabled to accept cookies from our Online Service's domain in order for you to use it.

Passwords

When we store passwords, we never store them in the clear. No-one can see them. We either save them in our database using best-practice cryptographic hashing, or go through a 3rd party authentication provider (see below).

It is your sole responsibility to keep your user name, password and other sensitive information confidential. If you become aware of any unauthorized use of your account or any other breach of security, you must notify Balsamiq immediately.

If you forget your password, we send you a secure link via email that lets you reset it.

Balsamiq staff will never change a password for you, nor change the Owners (as defined in the Terms of Service) or Billing Administrators. Please refer to our documentation to learn how to assign or revoke these roles yourself.

User Account Information

For our Online Services that have the concept of a "User Account", we store your name, email address, and if you upload it, a photo to use as your avatar.

We use this information to identify you as a user of the Online Service.

Personal Data for License Products

Our Licensed Products do not "call home", nor transmit any data to our servers.

The only Personal Data we store for License Products is related to the purchase transaction as described above.

Communication with Us

If you send us an email to an address that ends in '@balsamiq.com', or use one of the online forms on our website balsamiq.com, we collect your name and email address and any additional information and documents you send us in your correspondence.

We keep that data in our help desk software indefinitely. The customer interaction history helps us provide you with better customer service and helps us research how to improve our products and services.

We also use this information to proactively contact you if we see from our logs that you're having an issue with our Services, or if we resolved an issue you reported. If you had expressed interest in them, we also email you to notify you of beta programs or user research interviews.

Newsletter

If you chose to sign up for our newsletter we ask you to enter your email address, so that we can send you the newsletter. We keep your email address in our newsletter service provider until you unsubscribe via the link included in every newsletter.

Online Forms on Balsamiq.com

If you have applied for a job or applied for one of our raffles for a free ticket to a conference, we ask you to enter your name and email address so that we can get back to you, as well as any application information you wish to provide in response to our questions.

We keep job application data in our wiki indefinitely, for future job openings. You are free to request us to delete it, of course (see How to Access or Control Your Data below).

We keep raffle data in our wiki until the end of each raffle, after which it is deleted.

Blog Comments

In order to submit a comment to our blog, we ask you to enter your name and email address, so that we can attribute the comment to you and so that we can get in touch if needed to help you with your question or comment. We store your email address in our Wordpress hosting provider.

Online Forums

To interact with us via our online forums, you need to create a user account. We use a third party vendor to host the forums, so your personal data is not shared with us. Please refer to their privacy policy for details.

Visiting Our Online Services

We use Google Analytics to help us in our marketing and product design efforts, but we only track aggregate data. The Google Analytics code we use saves two cookies on your computer: _ga and _gid. You can delete or block those any time you wish, our website will continue to work.

We collect the IP addresses of everyone who visits our site or uses our Services. This information is used for debugging and DDOS prevention, and kept in our logs for 2 weeks.

Third-Party Vendors

In order to keep your Personal Data as secure as possible, we don't own any servers of our own. Instead, we rely on best-in-class third party services to store your data more securely than what we would be able to do ourselves.

Here's the list of our vendors we use, and links to their privacy policies:

Vendor / Product Purpose Entity Country Privacy Policy Link
Amazon Web Services (AWS) Host our software and databases USA AWS Privacy Policy
Google App Engine Host the software and database for our Balsamiq for Google Drive Plugin USA Google Cloud Platform Privacy Policy
Google Analytics Aggregate website visitor statistics USA Google Privacy Policy
Google Sheets Store data from balsamiq.com online forms, as well a customer lists for beta program and similar USA G Suite Security and Trust
Atlassian Confluence Store data from balsamiq.com online forms, as well a customer lists for beta program and similar USA Atlassian Privacy Policy
Help Scout Support Help Desk USA Help Scout Privacy Policy
Help Scout Security
MailChimp Newsletter delivery USA Mailchimp Privacy Policy
About the General Data Protection Regulation
Postmark Transactional application emails USA Postmark Privacy Policy
Postmark EU Data Protection
Stripe Payment processor USA Stripe Privacy Policy
Pin Payments Payment processor (we're phasing this out. Still used for some legacy myBalsamiq and Balsamiq Wireframes for Google Drive subscriptions) Australia Pin Payments Privacy Policy
Auth0 Authentication for Balsamiq Cloud (will be phased out soon in favor of our own home-grown solution) USA Auth0 Privacy Policy
PubNub Real-Time-Collaboration messaging for Balsamiq Cloud and myBalsamiq USA PubNub Privacy Policy
WPEngine Blog Hosting USA WPEngine Privacy Policy
WPEngine & GDPR Compliance
Discourse Forums Hosting USA Discourse Privacy Policy

How to Access or Control Your Data

If you have any questions or concerns about how your Personal Data is processed, or if you want a copy of your data, or want to rectify it or delete it (to the extent that's possible by law), don't hesitate to email us at privacy@balsamiq.com.

Balsamiq Cloud and myBalsamiq give you a way to access your personal information and correct it, via User Settings or a billing page.

Most of our Online Services give you a way to download or delete your data at any time. Once you delete your data, unless specified otherwise, we keep it in our backups for 7 days, then destroy it with no way to recover it.

To protect your privacy and security, we will take reasonable steps to verify your identity before granting access or making corrections. We use this procedure to better safeguard your information. You can correct factual errors in your personally identifiable information by sending us a request that credibly shows error.

We will respond as quickly as possible, and certainly within 30 days.

We need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.

Data Security

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

If we become aware of a data breach that affects your personal data, we will notify you (and the appropriate national supervisory authorities) within 72 hours.

Our detailed Information Security information is here.

Who Can See My Wireframes?

The people you share them with, as described in our Online Service or Licensed Product's documentation.

For the Balsamiq Services that have the concept of Owners (as defined in Terms of Service), they will be able to see your wireframes as well.

For Online Services some Balsamiq employees will also have access, according to the following guidelines:

  • We restrict who at Balsamiq can access customer data to only senior members of the team, and never to outside parties.
  • We only access your wireframes in response to a customer support question, or to debug and fix an issue.
  • We never make changes to anything unless explicitly requested by an Owner.
  • We never share what we see with other customers, the general public, or the rest of the Balsamiq staff.
  • We might give access to US authorities if requested in writing. We’ll try not to, but we don’t have the resources to fight the government. We’ll also keep your Owners(s) informed as much as we can if this happens.

Children's Privacy

Protecting the privacy of the very young is especially important. For that reason, we never collect or maintain information on our Online Service or Licensed Product from those we actually know are under 16, and no part of our Online Service or Licensed Product are structured to attract anyone under 16. If we become aware that a child under 16 has provided us with Personal Data, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact us at privacy@balsamiq.com.

Changes to this Privacy Policy

We may change this privacy policy from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice by adding a notice on our homepage, product login screens, or by sending you an email notification. We also keep prior versions of this Privacy Policy in an archive for your review.

Contact Balsamiq

Should you have questions or concerns about our Privacy Policy, our practices, or any of our legal documents please call us at +1 (415) 367-3531 or send us an e-mail at privacy@balsamiq.com.

Balsamiq Studios, LLC
1517 24th Street
Sacramento, CA, 95816-6206

Balsamiq SRL
Viale Oriani 2
40137 Bologna (BO)
Italy

Document History

  • 31 May 2018: Added Wireframestogo.com and UXApprentice.com, improved Children's Privacy section, added proactive support info, and fixed some typos.
  • 25 May 2018: major update to unify our separate privacy policies into one, and to add more detail as required by GDPR.
  • 2008_03_15_balsamiq_privacy_policy.pdf - published March 15, 2008.