Privacy policy

  • Updated

Creating effective privacy controls is essential for compliance with various state and national privacy laws. It is also required for meeting customer privacy expectations. Optimizely has implemented a variety of privacy controls, but recognizes that privacy is a shared responsibility with customers.

The purpose of this document is to provide guidance on drafting a compliant and effective privacy policy for use with Optimizely's products and services.

Disclaimer: Due to the legal obligation a privacy policy places on an organization, Optimizely expects you, as a customer, to develop your own privacy policy based on your unique environment and set of laws and regulations you may operate under.

What is a Privacy Policy?

A privacy policy formalizes and communicates how an organization gathers, uses, discloses and manages the data it stores and processes as part of customer-related services. The ultimate goal of a privacy policy is to legally disclose and define how an organization protects its customers' data from improper disclosure and modification, while still meeting applicable laws and regulations.

Basic components of a privacy policy include:

  • Data collection use and sharing disclosure Communicates the data types collected, how the organization uses the data and any third parties with whom the organization shares data.
  • Method of contact Provides a channel for customers to contact the organization about privacy-related questions or concerns.
  • Individual rights Gives customers a list of options for reviewing, opting-out or removing their data from an organization s storage or processes.
  • Laws and regulations Provides a list of in-scope privacy laws and regulations by which the organization must abide.
  • Privacy policy updates Indicates how the organization implements privacy policy changes and how it notifies customers about these changes.

Optimizely's Privacy Policy

As an ecommerce solutions service provider, Optimizely's strategy is to build privacy controls, processes and technologies that both meet our privacy requirements and enable you to meet your own unique requirements. We accomplish this strategy by including privacy information in the following:

  • A published privacy policy that communicates general privacy statements
  • The Services and Support Agreement (SSA) that customers sign when purchasing Optimizely services
  • A variety of General Data Protection Regulation (GDPR) processes and a Data Processing Agreement (DPA) for customers who require one, such as customers that are in scope for GDPR

Laws and Regulations

Below is a list of the laws and regulations you should consider when determining your organization s privacy requirements. Each includes a scope that depends on the type of data you collect and the region or nation in which your customer resides.

Law/Regulation Country of Origin

Health Insurance Portability and Accountability Act (HIPAA)


US Privacy Shield


Children's Online Privacy Protection Act (COPA)


Gramm-Leach-Bliley Act (GLBA)


California Online Privacy Protection Act (CalOPPA)


General Data Protection Regulation (GDPR)


Personal Information Protection and Electronic Documents Act (PIPEDA)



Apple and Google require all submitted mobile applications to link to a defined privacy policy containing the following elements:

  • Identification of all data collected, how it is collected and how you use it.
  • Indication that you take due diligence with data you share with third parties, which ensures that the same or equal protections of the data exist.
  • Description of data retention/deletion policies and how customers can revoke consent and/or request deletion of their data.


For more general information on privacy policies, see Privacy Shield Framework.