Effective February 21, 2020. Document History
This Policy applies to all of Balsamiq websites, products and services, and any point of contact you might have with Balsamiq.
We define the following as our "Online Services":
- The balsamiq.com websites (balsamiq.com, blog.balsamiq.com)
- Balsamiq Cloud
- Balsamiq for Google Drive
- Balsamiq for Confluence Cloud
- Balsamiq for Jira Cloud
- Balsamiq for ux.stackexchange.com
We define the following as our "Licensed Products":
- Balsamiq for Desktop
- Balsamiq for Confluence Server
- Balsamiq for Jira Server
This document is a sister-document to our EULAs & Terms of Service documents. Please make sure you read both carefully before accessing or using a Balsamiq Online Service or Licensed Product.
Our Commitment to Privacy
We have made a commitment to be good citizens. We consider protecting and respecting your personal information as an essential part of that responsibility.
Our business model is a very traditional one: we provide products and services, and customers pay us for them. In other words, you are the customer, NOT the product.
Who We Are
Balsamiq is a small multi-national organization, based in Italy and the USA. We've been around since 2008 and are bootstrapped, profitable, and aim for longevity over growth. We believe in forming long-term relationships with our customers, our employees, and our communities. It all starts with trust.
Our Italian company (which does Research and Software Development) is Balsamiq SRL. Our tax identification number (P.IVA and C.F) is IT-02921031205.
Our US company (which primarily does Sales and Marketing) is Balsamiq Studios, LLC. Our Federal Tax Identification Number (EIN) is 26-2200095.
Balsamiq SRL fully owns Balsamiq Studios, LLC, and both are run by our founder and CEO Giacomo Guilizzoni (firstname.lastname@example.org).
In GDPR terminology, our two companies act as joint controllers, with the main EU establishment in Italy.
Data We Collect and How We Use It
Below is a complete description of data we collect, and what we do with the data. Every piece of information collected is done with a specific purpose, such as to provide our Services to you and to fulfill our legal obligations. If it's not listed here or in our EULA or Terms of Service, we don't do it.
We call data that identifies — or that could reasonably be used to identify — you as an individual as "Personal Data."
This data includes:
- Contact details, such as name, email address, postal address.
- Financial data such as credit/debit card number.
- Other personal data, such as IP address, or your image and voice if you participate in a recorded meeting or event with us.
You can find detailed information on how we keep your data safe in our Information Security page.
Transaction and Billing Information
When purchasing directly from Balsamiq we collect data from you in order to complete the transaction and provide you access to our Online Service or Licensed Product. To make it as secure as possible, your credit card information (including number, expiration date and CVC security code) is sent securely to our payment processor directly from your browser. The processor validates it and sends us a validation code we can use to finish the purchase.
In the case of our Subscription Services (Balsamiq Cloud, Balsamiq Wireframes for Google Drive, and myBalsamiq) the processor stores your credit card information as well as your billing contact information in order to process your monthly or annual automatic renewals, or to allow you to upgrade or downgrade your subscription without re-entering a credit card number.
We never have access to, nor store your full credit card information.
The payment processor code we use also sets a cookie in your browser, to remember your info for future purchases. You can delete or block that cookie if you wish; our website will continue to work.
We require you to enter your billing information. This data, as well as the last four digits of your credit card which is sent to us by our payment processor, is stored in our transaction database (which we call "Olio") in order to maintain our financial records. This information appears on your invoice, which can be accessed by anyone who has been sent the URL link to your invoice. We make the invoice links purposefully long and hard to guess for added security, and we prevent search engines from indexing them.
We automatically email the public invoice link following the purchase to the email address(es) you have provided.
The history of changes to the billing contact information on the invoice made by you or our team is logged and stored in Olio.
As part of purchasing a Licensed Product directly from us (Balsamiq for Desktop or Atlassian Server Apps), you are requested to enter a License Name. This is usually a company name, but sometimes an individual's name is entered. This name is kept in Olio to maintain accurate purchase records.
If we have issued you a free license or a trial license extension via email, we will have saved your email address in Olio along with the License Name we issued, which may be in a company or individual's name, depending on the case. We keep this data to track the software we have given out.
Subscription Service records may include more than one billing contact. These email addresses and related billing contact information can be updated at any time and the history of changes is logged in Olio.
Lastly, if you have purchased one of our Atlassian Apps for Jira or Confluence directly from the Atlassian Marketplace, Atlassian has offered us access to the billing records for purchases of our app. We import this data into Olio which includes limited Personal Data such as the technical and billing contacts' email address and names. This information is used to offer better support to customers by having all purchase records together, as well as for our accounting purposes. Data from Atlassian includes purchase price, but not details on the payment method. Atlassian is not responsible for the privacy, accuracy nor security of this data.
The data we collect in Olio, including Personal Data, is not shared with third parties, except for the purposes of determining the validity of a payment. In this case we may share the name and email address associated with the purchase with the credit card holder, your company’s accounting department, or with our payment processor when responding to a chargeback.
We only send emails to the email addresses we collect in Olio to communicate account activity such as purchase confirmation and subscription status (renewal, cancellation, etc.).
Personal Data for Online Services
User Account Information
For our Online Services that have the concept of a "User Account", we store your name, email address, and if you upload it, a photo to use as your avatar.
We use this information to identify you as a user of the Online Service.
We store passwords only for Online Services with separate Balsamiq "User Accounts." We never store these passwords in the clear. No-one can see them. We either save them in our database using best-practice cryptographic hashing, or go through a 3rd party authentication provider (see below).
It is your sole responsibility to keep your user name, password, and other sensitive information confidential. If you become aware of any unauthorized use of your account or any other breach of security, you must notify Balsamiq immediately.
If you forget your password, we send you a secure link via email that lets you reset it.
Balsamiq staff will never change a password for you, nor change the Owners (as defined in the Terms of Service) or Billing Administrators. Please refer to our documentation to learn how to assign or revoke these roles yourself.
For those Online Services that do not require a separate User Account:
Atlassian Confluence and Jira apps: we do not store user data other than what is described in the Transaction and Billing Information section.
Balsamiq Wireframes for Google Drive: we store the user's email address and ID to properly identify the Google account.
A password is not required to use the following websites:
- The balsamiq.com websites (balsamiq.com, blog.balsamiq.com)
- Balsamiq for ux.stackexchange.com
Personal Data for Licensed Products
Our Licensed Products do not "call home" unless in response to specific in-app user actions that require online access, like accessing our online documentation, registering Balsamiq for Desktop licenses, or playing background music.
The only Personal Data we store for Licensed Products is related to the purchase transaction as described above.
Personal Data Stored Inside Projects
As described in the BMPR file format documentation, any time a user interacts with the Comments feature, their user ID, email address and name are stored inside the project database or file.
Communication with Us
If you send us an email to an address that ends in '@balsamiq.com', or use one of the online forms on our website balsamiq.com, or send us a crash report, we collect your name and email address and any additional information and documents you send us in your correspondence.
We keep that data in our help desk software indefinitely. The customer interaction history helps us provide you with better customer service and helps us research how to improve our products and services.
We also use this information to proactively contact you if we see from our logs that you're having an issue with our Services, or if we resolved an issue you reported. If you had expressed interest in them, or we think you might benefit from it, we also email you to notify you of beta programs or user research interviews.
If you chose to sign up for our newsletter, we ask you to enter your email address, so that we can send you the newsletter. We keep your email address in our newsletter service provider until you unsubscribe via the link included in every newsletter.
We conduct different types of user research studies to uncover new ways of making Balsamiq better for our customers.
The data we collect during research is confidential, and we don't share it outside our company.
Whenever possible, we anonymize the data. We may use this anonymized data in our different publications.
We delete personal data after each user research study is concluded, and never keep it for longer than 2 years. You can request to have your personal data deleted at any time.
Customer Advisory Board (CAB)
The CAB allows us to have pre-qualified participants for studies and build richer relationships with them.
CAB members receive emails periodically, informing them about upcoming studies and research updates. You can unsubscribe to the update emails, but stay in the CAB. We keep your data in the CAB until you tell us you want to leave it.
Online Forms on Balsamiq.com
If you have applied for a job or applied for one of our raffles for a free ticket to a conference, we ask you to enter your name and email address so that we can get back to you, as well as any application information you wish to provide in response to our questions.
We keep raffle data in our wiki until the end of each raffle, after which it is deleted.
In order to submit a comment to our blog, we ask you to enter your name and email address, so that we can attribute the comment to you and so that we can get in touch if needed to help you with your question or comment. We store your email address in our Wordpress hosting provider.
Visiting Our Online Services
We use Google Analytics to help us in our marketing and product design efforts, but we only track aggregate data. The Google Analytics code we use saves up to 4 cookies on your computer. You can delete or block those any time you wish, our website will continue to work.
We collect the IP addresses of everyone who visits our site or uses our Services. This information is used for debugging and DDOS prevention, and kept in our logs for 2 weeks.
In order to keep your Personal Data as secure as possible, we don't own any servers of our own. Instead, we rely on best-in-class third-party services to store your data more securely than what we would be able to do ourselves.
Here's the list of our vendors we use, and links to their privacy policies:
|G Suite||Google Sheets: Store data from balsamiq.com online forms, as well as customer lists for beta programs, user research, and similar. Gmail: Stores copies of our Customer Support emails||USA||G Suite Security and Trust|
|Help Scout||Support Help Desk||USA||
Help Scout Security
|MailChimp||Newsletter delivery and user research updates||USA||
About the General Data Protection Regulation
|Postmark||Transactional application emails||USA||
Postmark EU Data Protection
|SendGrid||Transactional application emails||USA||
SendGrid EU Data Protection
WPEngine & GDPR Compliance
How to Access or Control Your Data
You have the right to request a copy of your information, to object to our use of your information, to request the deletion or restriction of your information, or to request your information in a structured, electronic format.
Balsamiq Cloud and myBalsamiq give you a way to access your personal information and correct it, via User Settings or a billing page.
Most of our Online Services give you a way to download or delete your data at any time. Once you delete your data, unless specified otherwise, we keep it in our backups for up to 60 days, then destroy it with no way to recover it. For archival, support and/or bug fixing purposes, we may save your data for longer than 60 days.
If you have any questions or concerns or would like to invoke your rights regarding your Personal Data, such as requesting a copy of your data or rectifying or deleting data, don't hesitate to email us at email@example.com.
To protect your privacy and security, we will take reasonable steps to verify your identity before granting access or making corrections. We use this procedure to better safeguard your information. You can correct factual errors in your personally identifiable information by sending us a request that credibly shows error.
We will respond as quickly as possible, and certainly within 30 days.
In certain circumstances we may need to retain certain information for record-keeping purposes, to complete transactions or to fulfill obligations dictated by the law, including tax or regulatory requirements, or other lawful purposes.
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.
If we become aware of a data breach that affects your Personal Data, we will notify you (and the appropriate national supervisory authorities) within 72 hours.
Our detailed Information Security information is here.
Who Can See My Wireframes?
The people you share them with, as described in our Online Service or Licensed Product's documentation.
For the Balsamiq Services that have the concept of Owners (as defined in Terms of Service), they will be able to see your wireframes as well.
For Online Services some Balsamiq employees will also have access, according to the following guidelines:
- We restrict who at Balsamiq can access customer data to only senior members of the team, and never to outside parties.
- We only access your wireframes in response to a customer support question, or to debug and fix an issue.
- We never make changes to anything unless explicitly requested by an Owner.
- We never share what we see with other customers, the general public, or the rest of the Balsamiq staff.
- We might give access to government authorities if requested in writing. We’ll try not to, but we don’t have the resources to fight the government. We’ll also keep your Owners(s) informed as much as we can if this happens.
Where Are My Wireframes Stored?
- Balsamiq does not store nor have access to wireframe data of our Licensed Products. Users choose where to store their wireframes.
- Balsamiq stores wireframes for Cloud until an account is deleted.
- Google Drive, Confluence Cloud, and Jira Cloud integrations store a temporary copy of your projects on our servers. This is done to provide functionality, such as autosave and real-time-collaboration.
- The data is regularly sent back to the platform for official storage (as a Google Drive file or as a Jira issue attachment). We keep this temporary data for 30 days. If there are errors sending it to the platform, we might keep the data for longer, as a backup. We do not permanently store or delete these wireframes.
Privacy Shield Notice
Balsamiq Studios, LLC is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Balsamiq Studios, LLC complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions. Balsamiq is liable for any processing of personal information by such third parties that is inconsistent with the Privacy Shield Principles unless it is not responsible for the event giving rise to any alleged damage.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Balsamiq Studios, LLC is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (FTC). In certain situations, Balsamiq Studios, LLC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, Balsamiq Studios, LLC commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Balsamiq.
Balsamiq Studios, LLC has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU.
Under certain conditions, Privacy Shield provides the right to invoke binding arbitration when other dispute resolution procedures have not provided resolution. This is described in Annex I to the Privacy Shield.
*Only US-based entities are eligible to self-certify under Privacy Shield. Therefore, as an EU based entity, Balsamiq SRL does not need to self-certify under Privacy Shield in order to transfer data outside of the EU.
Protecting the privacy of the very young is especially important. For that reason, we rarely include photos of children on our social media. In the rare case that we do, explicit parental permission has been granted for this purpose. Furthermore, we never collect or maintain information on our Online Service or Licensed Products from those we actually know are under 16, and no part of our Online Service or Licensed Products are structured to attract anyone under 16. If we become aware that a child under 16 has provided us with Personal Data, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact us at firstname.lastname@example.org.
Balsamiq Studios, LLC
1517 24th Street
Sacramento, CA, 95816-6206
Via Romita 2/5
40128 Bologna (BO)
- 2 Apr 2020: Added "Personal Data Stored Inside Projects" section, and mention of crash reports.
- 21 Feb 2020: Added "User Research" section, clarified "Other Personal Data", and specified how we treat artifacts you send us that contain Personal Data.
- 17 Jan 2020: Several updates to improve readability, clarify where wireframes are stored, how to invoke your rights, third-party vendors updates, and to clarify when Licensed Products may "call home".
- 2 May 2019: Added note to comply with section 8.4(d) of the Atlassian Vendor Agreement, added more details to highlight the differences between our Online Services, and how they manage data.
- 7 Nov 2018: Updated with Privacy Shield information.
- 2 Aug 2018: Updated deleted data retention period from "7 days" to "up to 60 days".
- 31 May 2018: Added Wireframestogo.com and UXApprentice.com, improved Children's Privacy section, added proactive support info, and fixed some typos.
- 25 May 2018: major update to unify our separate privacy policies into one, and to add more detail as required by GDPR.
- 2008_03_15_balsamiq_privacy_policy.pdf - published March 15, 2008.