Medallia Global Privacy Policy
Last Reviewed and Updated: September 5, 2025
Medallia, Inc. and its affiliates (“Medallia,” “we,” “us,” or “our”) respect your privacy and are committed to transparency about how we handle personal data. This Global Privacy Policy explains our practices when we act as a data controller, for example on our websites, in our marketing programs, in events, and in recruitment. It also explains how we support our enterprise customers when we act as a data processor or service provider using the Medallia Experience Cloud (“MEC”).
This Policy does not apply to personal data we process, in MEC, on behalf of our commercial customers (such as banks, retailers, hotels, and the like). When you respond to a customer survey or otherwise interact with MEC at Medallia’s customer’s direction, the customer (i.e., bank, etc.) is the controller and their privacy policy governs. We process that data only on their instructions under specific agreements, such as our Data Processing Addendum or their form of Data Processing Addendum.
1. Medallia and Customer Data (Processor Role)
Medallia provides software and services that help organizations understand and improve customer, employee, and stakeholder experiences. When our commercial customers use the Medallia Experience Cloud to collect information in the platform (“Customer Data”), our customer decides how Customer Data is processed or used.
Medallia does not review, share, distribute, or reference Customer Data except as permitted by those agreements or as required by law. Access to Customer Data is limited and monitored, and is used only for purposes such as providing services, addressing support or technical issues, maintaining security, or meeting legal obligations.
If you have questions about personal data you provided through MEC at the request of a Medallia customer, you should contact that customer directly. Our agreements require us to redirect individual rights requests to the customer. We support our customers by providing product features and processes that enable them to respond to requests for access, correction, or deletion.
For general support inquiries, including problems with survey completion or incorrect survey invitations, please visit our Survey Support Portal. If you received a survey invitation by email and no longer wish to participate, please use the opt-out link in that email or visit our opt-out FAQs.
To provide services, Medallia engages carefully selected subprocessors that perform functions such as hosting, analytics, and communications support. You can view the current list of our subprocessors here. These subprocessors are contractually bound to use Customer Data only for the purposes specified by Medallia and to apply appropriate safeguards.
We retain Customer Data for as long as a customer’s account is active or as needed to provide services, and thereafter only as necessary to comply with law, resolve disputes, enforce agreements, or meet other legitimate business needs consistent with our contracts.
2. Information We Collect and How We Use It
When Medallia acts as a controller, we collect and use personal data in several contexts. The type of information we collect, the way we use it, and the legal basis for processing depend on how you interact with us.
Websites and Online Services
When you visit medallia.com or related websites that link to this Policy, we collect information through forms you complete and through automated technologies. This may include:
- Information you provide. For example, when you register for a webinar, download a whitepaper, or sign up for a newsletter, we collect identifiers such as your name, business email, company, job title, preferences, and any other information you choose to share with us.
- Information collected automatically. We collect information sent by your browser or device, such as IP address, device type, operating system, browser type and version, geographic region (approximated from the IP address), the pages you visit, and the links you click. We use cookies and similar technologies to remember your preferences and to understand how our websites are used.
We use this information to operate and secure our websites, deliver requested resources, measure the effectiveness of our content, and improve the user experience. Where required by law, we seek and rely on your consent for non-essential cookies and electronic communications. In other contexts, such as operating the site and providing requested content, we rely on our legitimate interests to provide secure and functional websites.
Website Feedback Survey and OCEM Assessment
We offer a Website Feedback Survey to understand how visitors experience our site and to identify opportunities for improvement. If you choose to participate, the survey may collect information about your browsing session, including the pages visited, your responses to questions, and any comments you provide. You may also choose to include your contact information if you would like us to follow up. In some cases, the survey tool may allow you to capture and share screenshots of portions of our site to illustrate feedback.
We also offer an Operational Customer Experience Management (“OCEM”) Assessment that helps our prospective customers evaluate and define their customer experience goals. The OCEM Assessment collects your responses to a set of structured questions, which may include information about your business priorities and customer engagement practices. If you provide contact details, we may use them to deliver your results, share additional resources, or follow up on areas of interest.
Both the Website Feedback Survey and the OCEM Assessment may collect limited technical data such as your IP address, browser type, and device information to ensure the tools function properly and to support analytics. Participation is voluntary, and you can choose not to provide contact details if you prefer to remain anonymous.
Marketing, Sales, and Events
When you interact with our marketing and sales activities, we collect and use your information to inform you about Medallia’s products, services, and events that may be relevant to your role or organization. This may include:
- Contact details and professional information such as your name, business email, phone number, job title, company name, and industry.
- Engagement history such as your attendance at events or webinars, downloads of content, interactions with our emails, and participation in promotional campaigns.
- Inferred interests based on your interactions with our sites and content, collected through cookies and analytics tools.
We use this information to send you product updates, event invitations, newsletters, and promotional offers, and to personalize your experience with Medallia. In jurisdictions where the law requires consent, we will seek your permission before sending electronic marketing communications or placing cookies. In other contexts, particularly in professional communications, we may rely on legitimate interests to develop our business, while always giving you an easy way to opt out.
Recruitment and Applicants
If you apply for a role with Medallia, we process your personal data to evaluate and manage your application. This includes:
- Information you provide. Such as your resume or CV, education and employment history, qualifications, references, and contact details.
- Information generated during the recruitment process. Such as interview notes, assessment results, and communications with you.
- Information from third parties. Such as recruiters, professional references, publicly available professional profiles (for example, LinkedIn), and background check providers where permitted by law.
- Information processed with the support of AI-enabled tools. To the extent allowed by law, we may use automated tools, including third-party platforms such as LinkedIn Recruiter, to assist with candidate sourcing and screening. These tools support our recruiters by highlighting potential candidates or matching role requirements, but they do not replace human judgment. All employment decisions involve meaningful human oversight.
In some jurisdictions, and only where lawful, we may process sensitive personal information such as demographic information for equal opportunity monitoring or right-to-work information for compliance with immigration laws. We use applicant data to assess qualifications, communicate during the hiring process, comply with legal obligations, and maintain a talent pool for future opportunities. If you are not selected for a role, we may retain your information for a limited period, consistent with legal requirements and our retention standards, so that we can comply with our obligations and consider you for future opportunities.
Security, Compliance, and Improvement
We process personal data for purposes that support our business operations and legal/compliance obligations. This includes:
- Maintaining security. Monitoring systems and logs to detect and prevent fraud, abuse, or unauthorized access.
- Legal compliance. Meeting obligations under laws and regulations, and responding to lawful requests such as subpoenas, court orders, or government inquiries.
- Internal analytics. Understanding how our websites and services are used to improve design, functionality, and user experience.
- Product development. Using aggregated or de-identified data to develop new features and capabilities.
Whenever possible, we de-identify or aggregate personal data before using it for these purposes. Some information is necessary to provide requested content or services. If you do not provide required information or ask us to delete it, we may not be able to fulfill your request or provide certain features.
Children
Medallia’s websites and recruiting efforts are directed to individuals 16 years of age and older. We do not knowingly collect personal data from children under 16. If we learn that we have inadvertently collected such data, we will delete it within a reasonable period. To request removal of data believed to have been provided by a child under 16, please contact us as described in Section 13.
3. How We Share Personal Data
We do not sell personal data. However, in some jurisdictions, certain disclosures of personal data for analytics or advertising may be considered a “sale,” “share,” or “targeted advertising.” Where required, we provide you with choices to opt out of those activities.
We share personal data only in limited circumstances and with appropriate safeguards, including the following:
Within the Medallia group. We may share personal data among Medallia, Inc. and its affiliates to provide services, administer operations, and support business functions in a manner consistent with this Policy.
With service providers. We engage carefully selected service providers to perform functions on our behalf, such as website hosting, analytics, marketing automation, event management, recruiting, and security. These providers act under written agreements that limit their use of personal data to the purposes specified by Medallia and require appropriate technical and organizational measures to safeguard the data.
With business partners. We may share limited business contact information with trusted partners, including channel partners, integration partners, referral partners, and co-marketing or co-selling partners, in order to support joint sales and marketing initiatives, facilitate customer success, and improve interoperability of our services. We may also share information with event sponsors where you choose to register for a co-hosted event. When we share information with partners, we provide notice at the time of collection and, where required by law, obtain your consent.
For legal reasons. We may disclose personal data as required by law or legal process, including responding to lawful requests such as subpoenas, court orders, or government inquiries. We may also disclose information to enforce our agreements, protect our rights and property, or ensure the safety of Medallia, our users, or the public.
In corporate transactions. If Medallia is involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred as part of that transaction. If such a transfer occurs, we require the recipient to honor the commitments in this Policy and we provide notice as required by law.
For analytics and advertising. We may allow certain third-party partners, such as analytics or advertising providers, to collect information from your browser or device when you visit our sites. These partners may use cookies, trackers and similar technologies to provide services to us and to deliver targeted advertising. In some jurisdictions, this may be considered a sale or sharing of your personal information. You can exercise choices through the mechanisms described in Section 8 and the California disclosures in Section 10.
4. International Data Transfers
Medallia is a global company headquartered in the United States. We may transfer and process personal data in the United States and in other countries where we, our affiliates, or our service providers operate. These countries may have privacy and data protection laws that differ from those in your country of residence.
Transfers from Europe, the UK, and Switzerland. For personal data transferred from the European Economic Area (EEA), the United Kingdom, and Switzerland to countries not recognized as providing an adequate level of protection, we rely on appropriate transfer mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) or Addendum to the SCCs, and supplementary measures as needed. We conduct transfer impact assessments and monitor developments in applicable law to ensure data is protected to a standard essentially equivalent to that required under EU, UK, and Swiss law.
Data Privacy Framework. Medallia, Inc. is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, as set forth by the U.S. Department of Commerce. While we primarily rely on SCCs, the IDTA, and related safeguards, our DPF certification provides an additional mechanism for transfers of personal data to the United States. The U.S. Federal Trade Commission has jurisdiction over our compliance with the DPF Principles. We remain responsible for onward transfers to third parties in accordance with those Principles. For more information, please see our Data Privacy Framework Notice.
Other transfers. Outside Europe, the UK, and Switzerland, we comply with local requirements for cross-border data transfers, including recognition of adequacy decisions and the use of contractual protections where required.
5. Data Retention
We retain personal data only as long as necessary to fulfill the purposes described in this Policy or as required by law. When determining retention, we consider the type and sensitivity of the data, the purposes of processing, contractual commitments, legal and regulatory obligations including applicable limitation periods, and the potential risk of harm from unauthorized use or disclosure.
We may also retain personal data for a limited period to resolve disputes, enforce agreements, or meet other legitimate business needs consistent with our contracts and legal obligations.
When personal data is no longer needed, we delete it or de-identify it consistent with our standards and applicable law. Where possible, we use aggregated or de-identified data for analytics, product improvement, or other business purposes.
Specific retention periods for different types of data are documented in our internal data retention schedule, which is reviewed regularly to ensure compliance with legal and business requirements.
6. Security
Medallia is committed to protecting the personal data we process. We maintain a comprehensive information security program with administrative, technical, and physical safeguards designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Our security measures include encryption, access controls, vulnerability management, incident response planning, and regular employee training. We also undergo independent audits and maintain certifications aligned with recognized industry standards.
For more information about our security practices and certifications, please visit Medallia Trust & Security.
7. AI Governance
Medallia uses artificial intelligence (“AI”) and automated tools in limited ways to support our operations and to enhance the experiences we provide. We recognize the importance of using these technologies responsibly and in compliance with applicable laws.
Responsible AI practices. We evaluate AI tools before use, monitor their performance, and apply human oversight to decisions that could affect individuals. Our governance program is designed to manage risks such as bias, fairness, and transparency, and is updated as legal and regulatory requirements evolve.
Recruitment and hiring. As part of our talent acquisition process, we may use AI-enabled tools to assist with candidate sourcing and assessment, including third-party platforms such as LinkedIn Recruiter, to the extent allowable by applicable law. These tools help identify potential candidates or highlight role matches, but they do not replace human judgment. All employment decisions involve meaningful human oversight.
Automated decision-making and profiling. We may use limited forms of automated processing to personalize content, measure engagement, or improve services. These activities are intended to support our teams and customers, not to make final decisions with legal or similarly significant effects. Where laws provide rights related to automated decision-making or profiling, such as the right to request human review, we honor those rights.
Customer data. Where Medallia processes personal data on behalf of commercial customers in the Medallia Experience Cloud, we act only as a processor or service provider and use AI features solely as permitted by our customer agreements. Customers control how those features are used in their own environments.
Our AI governance program is a living framework. We are dedicated to continually evolving our practices to align with new regulations and ethical best practices to ensure our use of AI remains responsible and transparent.
8. Your Rights and Choices
Your rights depend on your location and the laws that apply. Subject to verification and legal exceptions, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of personal data.
- Receive a portable copy of your personal data.
- Object to or restrict certain processing.
- Opt out of the sale, sharing, or use of personal data for targeted advertising where those concepts apply.
- Limit the use and disclosure of sensitive personal information.
- Request information about our use of automated tools, obtain human review of decisions based solely on automated processing that produce legal or similarly significant effects, express your point of view, or contest such decisions. If you are a candidate, you may exercise these rights in connection with recruitment tools as described in Section 7.
- Appeal a decision if we decline to fulfill your request.
- Be free from discrimination for exercising your privacy rights.
How to exercise your rights. You can submit a request through our Privacy Request Form or by using the contact details in Section 13. We verify identity before fulfilling requests and respond within required timeframes. Where laws provide a right to appeal a decision, we explain how to appeal in our response.
Marketing choices. You may unsubscribe from marketing emails at any time using the link in those emails.
9. Cookies, Tracking Technologies, and Online Advertising
How we use cookies. We use cookies, tracking pixels, SDKs, and similar technologies to operate our websites, remember preferences, analyze usage, personalize content, and deliver or measure advertising. You can adjust your choices at any time through the Cookie Preferences link at the bottom of our website homepage.
Consent and opt-out. In the EEA and the UK, we obtain consent before setting non-essential cookies or activating comparable technologies, including advertising tags. In the United States, some cookie uses may be considered a sale, a share, or targeted advertising under state privacy laws. Visitors in those jurisdictions can exercise choices using the Cookie Preferences or by contacting us as described in Section 13.
Consent management technology. We use a consent tool to present choices and record preferences. While this tool is designed to prevent the use of non-essential cookies when you opt out, technical factors such as third-party integrations or page load sequence may result in the limited collection of device or browser information before preferences are fully applied. We continue to work with our providers to align implementation with user choices across jurisdictions.
Global Privacy Control (GPC). Where required by law, we recognize and honor browser-based opt-out preference signals, such as the Global Privacy Control (GPC). When a valid GPC signal is detected, our system treats it as a request to opt out of the “sale” or “sharing” of personal data for the browser that sends the signal.
Demandbase. We use Demandbase to understand engagement by business audiences and to deliver business marketing analytics. Demandbase may collect technical information from your browser or device, such as IP address, device and browser details, and page interactions, when you visit our sites. Demandbase acts as an independent controller of the data it collects through its tags and may use that data for its own purposes, as described in its own privacy notice. Your selections in Cookie Preferences communicate your choices to us and, where applicable, to certain partners.
10. Jurisdiction-Specific Disclosures
This section provides additional information required under certain privacy laws.
California (CPRA)
The following table summarizes the categories of personal information we collect, the purposes for which they are used, and whether they are sold or shared as defined under the California Privacy Rights Act. We retain each category for as long as necessary to fulfill the purposes described in this Policy, or as otherwise permitted by law.
|
Category
|
Examples
|
Purposes of Use
|
Sold
|
Shared for Advertising
|
|
Identifiers
|
Name, email, IP address, account ID, company name
|
Website operation, account management, marketing, sales, recruitment, security, compliance
|
No
|
Yes
|
|
Customer Records (as defined in Cal. Civ. Code § 1798.80(e))
|
Contact details, education, employment history
|
Recruitment, marketing, sales, events, compliance
|
No
|
No
|
|
Protected Classifications
|
Demographic info (voluntarily provided, e.g., age, gender, ethnicity)
|
Recruitment (diversity monitoring, compliance)
|
No
|
No
|
|
Commercial Information
|
Products/services purchased or considered, transaction history
|
Sales, marketing, product improvement
|
No
|
No
|
|
Internet/Network Activity
|
Browsing history, interactions with websites or ads
|
Website operation, analytics, marketing, advertising, security
|
No
|
Yes
|
|
Geolocation
|
Approximate location from IP, or precise geolocation if enabled
|
Website functionality, events, marketing
|
No
|
Yes (if used for targeted ads)
|
|
Professional/ Employment Information
|
Job title, company, qualifications, resume/CV
|
Recruitment, sales, marketing
|
No
|
No
|
|
Education Information
|
Education history, academic records
|
Recruitment
|
No
|
No
|
|
Inferences
|
Profiles about preferences, interests, or characteristics
|
Marketing, advertising, recruitment
|
No
|
Yes
|
|
Sensitive Personal Information
|
Right-to-work data, demographic details
|
Recruitment, events, compliance
|
No
|
No
|
California residents. California residents have the rights described in Section 8, including the right to know, delete, correct, opt out of sale/sharing, limit use of sensitive personal information, and request information about automated decision-making.
Other U.S. state privacy laws. Medallia applies the rights described in Section 8 to individuals covered by other U.S. state privacy laws, such as those in Colorado, Connecticut, Utah, Virginia, Texas, and others as they come into effect. Where required, we obtain consent before processing sensitive personal data, and we provide mechanisms to opt out of targeted advertising or sales as defined under applicable law.
Local hiring transparency laws. In certain jurisdictions, local laws may require transparency regarding the use of automated tools in recruitment or hiring. Medallia complies with these requirements by providing notices to candidates and ensuring meaningful human oversight of employment decisions.
Europe, UK, and Switzerland. For individuals in the European Economic Area, the United Kingdom, and Switzerland, additional disclosures apply under the GDPR and UK data protection law. Medallia identifies lawful bases for processing as described in Section 2, and conducts transfer assessments as described in Section 4. Individuals may also lodge complaints with their local supervisory authority. Our Data Protection Officer may be contacted as described in Section 13.
11. Third-Party Sites and Services
Our websites and services may include links to third-party websites, social networks, or applications. These features may allow you to engage with content, share information, or connect with third-party services. When you interact with these third parties, they may collect information directly from you or through technologies integrated into our sites.
Medallia does not control the data practices of these third parties and is not responsible for their privacy or security practices. Your interactions with them are governed by the privacy policies and terms of those third-party services. We encourage you to review their privacy notices before providing personal data or using their features.
12. Changes to This Policy
We may update this Policy from time to time to reflect changes in our business practices, technologies, or legal requirements. When we update this Policy, we will post the revised version on this page and update the “Last Reviewed and Updated” date at the top. If we make material changes, we may also provide additional notice, such as by email or through other appropriate channels, where required by law.
We encourage you to review this Policy periodically to stay informed about our privacy practices.
13. Contact Us
If you have questions about this Policy or about Medallia’s privacy practices, you can contact us in the following ways:
- Privacy Request Form: Submit a request here
- Email: [email protected]
- Postal Mail:
Medallia, Inc.
Attn: Privacy Office
6220 Stoneridge Mall Road, 2nd Floor
Pleasanton, CA 94588, USA
Data Protection Officer. Medallia has appointed a Data Protection Officer (DPO) to oversee compliance with data protection laws in the European Union, the United Kingdom, Singapore, and other jurisdictions where a DPO is required. If your inquiry relates to data protection rights or compliance matters, please address it to the Privacy Office, Attn: Data Protection Officer.
