Privacy policy
Last updated: 16 May 2024
Table of Contents
- 1. Maze approach to privacy
- 2. Our role in relation to your personal information
- 3. Personal information we collect about you and how we use it
- 4. Cookies and similar technologies
- 5. Information we share with third parties
- 6. Marketing and advertising
- 7. Storing and protecting your personal information
- 8. Your rights in respect of your personal information
- 9. Location of your personal information
- 10. Notice on EU-US Data Privacy Framework and UK Extension
- 11. Links to third party sites
- 12. Changes to this policy
- 13. Notice to you
- 14. Children
- 15. Complaints
- 16. Contacting us
- Annexes
1. Maze approach to privacy
1.1 We operate a service which allows you to import, and validate your design using our website located at https://maze.co (the “Service”).
1.2 We appreciate your interest in our Service. Privacy protection is very important to us and we are committed to protecting you and respecting your privacy. This privacy policy sets out information about how we collect, store, process, transfer, share and use data that identifies or is associated with you when providing our Service (hereinafter “personal information”).
1.3 The Service is operated by MAZE.DESIGN INC. (“Maze”, “we”, “our” or “us”) and we act as a data controller in relation to the personal information we hold about you. Our registered address is 800 Menlo Ave, Suite 220, Menlo Park, CA 94025.
2. Our role in relation to your personal information
2.1 We process two broad categories of personal information when you access the Service:
- your personal information as a customer (or potential customer) of the Service, or as a visitor to our website (hereinafter “Customer Data”); and
- your personal information that we received from a customer who signed you up as a tester/participant on the Service (hereinafter “Participant Data”).
2.2 For the purposes of data protection laws, we act as: (i) the controller of Customer Data, but as (ii) a processor of Participant Data (acting on behalf of the customer who provided your personal information to us in the first place). A controller decides why and how to process personal information. A processor processes personal information on behalf of a controller based on the controller’s instructions.
3. Personal information we collect about you and how we use it
Customer Data
3.1 We collect Customer Data about you when you voluntarily submit such data directly to us through our Service. This can include information you provide to us when you register with us, edit your profile, uploaded content, purchase services, correspond with us, respond to a survey, enter a promotion or use some other feature of our Service.
3.2 At various places on our site you may be requested to enter certain personal information. Personal information that must be provided in order to use the requested services will be indicated at the time of collection. If you choose not to provide this personal information, we may not be able to provide some or all of the features and functionalities of the Service to you or respond to your other requests. Other personal information that you are not required to provide in order to receive our services may be voluntarily given and you are free to decide not to give such personal information.
3.3 The annexes sets out the categories of Customer Data we collect about you and how we use that information. The table also lists the legal basis which we rely on to process the personal information and the recipients of the personal information. Please also refer to the section titled ‘Cookies and similar technologies’ below.
3.4 We also automatically collect Customer Data indirectly about how you access and use the Service and information about the device you use to access the Service.
3.5 We may link or combine the Customer Data we collect directly from you and the Customer Data we collect automatically from you. This allows us to provide you with a personalised experience regardless of how you interact with us.
3.6 We may also link or combine the Customer Data we collect directly from you and other personal data we collect about you using publicly-accessible sources such as ZoomInfo, Clearbit or LinkedIn. All additional personal data collected from these third-party sources has been made public by you.
3.7 We may anonymise and aggregate any of the Customer Data we collect about you (so that it does not directly identify you). We may use such anonymised information for purposes that include testing our IT systems, research, data analysis, improving our site and developing new products and features.
Participant Data
3.8 We do not collect Participant Data for our own purposes. Instead, we receive such Participant Data about you from the customer who signed you up as a participant on the Service, or collect it directly from you for the benefit of, and on instructions from, the customer who signed you up as a participant on the Service. Maze allows Customers to make screen recordings of Participant activity on a web site or application that are part of a Maze (“Recording”). Customer is responsible for obtaining the necessary consents from and disclosing to Contributors the information that Customer will collect.
3.9 We use Participant Data to provide the Service to the customer who signed you up as a participant on the Service. We do not use Participant Data for any other purposes.
3.10 Should you wish to obtain more information about the categories of Participant Data that we collect on behalf of, and pursuant to instructions from, the customer who signed you up as a participant on the Service, and/or about the purposes for collecting such Participant Data, please contact them.
What are cookies?
We may collect information using ‘cookies’. Cookies are small data files stored on the hard drive of your computer or mobile device by a website or web application. We may use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your computer or mobile device until you delete them) to provide you with a more personal and interactive experience on our Service.
Cookies we use
Our Service uses the following types of cookies for the purposes set out below:
Essential cookies
Purpose: These cookies are deemed as essential to provide you with the required services. Without these cookies, we are unable to provide operational services to you. We only use these cookies to provide you with those services.
Third-parties: Stripe
Functional cookies
Purpose: These cookies enable us to provide additional features of the service. The purpose of these cookies is to provide you with a more personal experience, and enhance your user experience while interacting with our services.
Third-parties: Zendesk
Marketing cookies
Purpose: These cookies enable us to provide a personalised experience and promote content that may likely be of interest to you. These cookies use information about your browsing history to group you with other users who have similar interests. Based on that information, and with our permission, third party advertisers may place cookies to enable them to show adverts which we think will be relevant to your interests while you are on third party websites.
Third-parties: Google Tag Manager, Facebook, Twitter, LinkedIn, HighTouch
Analytics cookies
Purpose: These cookies are used to collect information about traffic to our Service and how users use our Service. The information gathered via these cookies does not ‘directly’ identify any individual visitor. However, it may render such visitors ‘indirectly identifiable’. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access our Service. The information collected is aggregated and anonymous. We use this information to help operate our Service more efficiently, to gather broad demographic information and to monitor the level of activity on our Service.
Third-parties: Segment, Amplitude, Google Analytics, Hotjar, RescueMetrics
Social Media cookies
Purpose: These cookies are used when you share information using a social media sharing button or ‘like ’ button on our site or you link your account or engage with our content on or through a social networking website such as Facebook, Twitter or LinkedIn. The social network will record that you have done this.
Third-parties: Facebook, Twitter, LinkedIn
Disabling cookies
You can typically remove or reject cookies via your browser settings. In order to do this, follow the instructions provided by your browser (usually located within the ‘settings’, ‘help’ or ‘tools’ menu). Many browsers are set to accept cookies until you change your settings.
If you do not accept our cookies, you may experience some inconvenience in your use of our Service. For example, we may not be able to recognise your computer or mobile device and you may need to log in every time you visit our Service.
Further information about cookies, including how to see what cookies have been set on your computer or mobile device and how to manage and delete them, visit www.allaboutcookies.org and www.youronlinechoices.com.uk.
In particular, you can disable cookies which remember your browsing habits and target advertising at you by visiting https://www.youronlinechoices.com/uk/your-ad-choices. If you choose to remove targeted or advertising cookies, you will still see adverts but they may not be relevant to you. Even if you do choose to remove cookies by the companies listed at the above link, not all companies that serve online behavioral advertising are included in this list, and so you may still receive some cookies and tailored adverts from companies that are not listed.
5.1 We may share any of your personal information with the following parties (to the limited extent required in accordance with the uses set out in Annexes 1 and 2):
- (a) Companies in the same group of companies as us: our subsidiaries (i.e. any organisation we own or control) or our holding company or ultimate holding company (i.e. any organisation that owns or controls us) and any subsidiaries they own. For the avoidance of doubt, this includes MAZE.DESIGN LIMITED, in relation to which section 10 of this privacy policy titled “Notice on EU-US Data Privacy Framework and UK Extension” will apply. These companies will only use your personal information in the same way as we can under this privacy policy.
- (b) Service providers and advisors: third parties who provide a service to us. For example, third party service providers that provide our IT infrastructure or help support it, help us to provide you with support in relation to the Service, process payments from you on our behalf, organise and host in-person and virtual events on our behalf, develop analytical information for us about our products and services and provide professional services such as legal and accountancy services. These third parties will only be allowed to use your personal information in accordance with our instructions and will be required to keep your information secure.
- (c) Purchasers of our business: personal information may be disclosed or transferred to buyers or prospective buyers of our business or any of our assets as part of any such sale. We will take all reasonable steps to ensure that such recipients will use your personal information in a way that is consistent with this privacy policy.
- (d) Law enforcement, regulators and other parties for legal reasons: third parties to whom we are under a legal obligation to disclose your personal information or to whom we need to disclose your personal information to protect our rights, property or safety or to protect the rights, property or safety of others. We may also disclose personal information to third parties to help detect and investigate illegal activities and breaches of any agreement we have with you.
5.2 We do not disclose information about identifiable individuals to anyone else except as set out above. We may provide third parties with aggregate statistical information and analytics about users of our Service but we will make sure no one can be identified from this information before we disclose it.
6. Marketing and advertising
6.1 From time to time we may contact you with information about our products and services. Most marketing messages we send will be by email. For some marketing messages we may use Customer Data we collect about you to help us determine the most relevant marketing information to share with you. We do not use Participant Data we received about you for marketing purposes.
6.2 We will only send marketing messages to users who have chosen to receive them. We will ask you if you would like to receive these messages when we first collect your contact details. You can also change your marketing preference at a later date by following the instructions outlined below:
- Click on the unsubscribe link at the bottom of our marketing emails.
- If you have an online account with us, you might be able to opt-out of marketing emails, features updates through your account settings.
- Email us at privacy@maze.design.
6.3 Please note that if you do opt-out of or do not grant consent to receiving marketing related messages from us, we may still send you non-marketing messages, such as communications relating to the provision of our Service.
6.4 Please rest assured that we will not sell your personal information to a third-party for commercial purposes.
7. Storing and protecting your personal information
7.1 Retention period: We will store Customer Data n we collect about you for no longer than necessary for the purposes set out in Annex 1 and Annex 2 and in accordance with our legal obligations and legitimate business interests.
7.2 Security: We implement appropriate and reasonable technical and organisational measures to protect your personal information against accidental or unlawful destruction, loss, change, or damage. All personal information we collect will be stored on our secure servers. We also limit access to your personal information to those employees and other staff who have a business need to have such access. We have put in place procedures to deal with any actual or suspected personal data breach. In the event of any such breach, we have systems in place to work with applicable regulators. In addition, in certain circumstances, we may notify you of breaches affecting your personal information where we are legally required to do so.
7.3 Phishing: We will never send you unsolicited emails or contact you by phone requesting your account ID, password, credit or debit card information or national identification numbers.
8. Your rights in respect of your personal information
8.1 If you are resident in the United Kingdom or the European Economic Area, in accordance with applicable privacy law, you have the following rights in respect of your personal information that we hold:
- (a) Right of access. You have the right to obtain:
- (i) confirmation of whether, and where, we are processing your personal information;
- (ii) information about the categories of personal information we are processing, the purposes for which we process your personal information and information as to how we determine applicable retention periods;
- (iii) information about the categories of recipients with whom we may share your personal information; and
- (iv) a copy of the personal information we hold about you.
- (b) Right of portability. You have the right, in some circumstances, to receive a copy of the personal information you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal information to another person.
- (c) Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal information we hold about you.
- (d) Right to erasure. You have the right, in some circumstances, to require us to erase your personal information if the continued processing of that personal information is not justified.
- (e) Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal information if the continued processing of the personal information in this way is not justified, such as where the accuracy of the personal information is contested by you.
- (f) Right to object. You have a right, in some circumstances, to object to any processing based on our legitimate interests. There may, however, be compelling reasons for continuing to process your personal information, and we will assess and inform you if that is the case.
8.2 If you wish to exercise one of these rights, please contact us using the contact details provided at the end of this privacy policy. You may also review and edit the personal information you have submitted to us by logging into your account on our website. Please note that if you submit a request to exercise one of these rights in relation to Participant Data we hold about you, we will forward your request to the controller of such Participant Data (i.e. the customer who signed you up as a participant on the Service) as they are responsible for responding to it.
8.3 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
8.4 We will try to respond to all legitimate requests relating to Customer Data within 30 days. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
8.5 Residents in other jurisdictions may have similar rights to the above. If you would like to exercise one of these rights, please contact us using the contact details provided at the end of this privacy policy. We will comply with any request to the extent required under applicable law.
9. Location of your personal information
9.1 Many of our service providers are based outside the United Kingdom or the European Economic Area, so their processing of your personal information will involve a transfer of data to countries based outside of that territory.
9.2 We are under a legal obligation to ensure that people to whom we provide your personal information hold it subject to appropriate safeguards and controls. Whenever we transfer your personal information out of the United Kingdom or the European Economic Area, we ensure a similar degree of protection is afforded to it by implementing measures which comply with applicable privacy law. To receive details of those measures, please contact us using the contact details provided at the end of this privacy policy.
10. Notice on EU-US Data Privacy Framework and UK Extension
MAZE.DESIGN INC. (“Maze”) complies with (i) the EU-U.S. Data Privacy Framework (EU-U.S. DPF), and (ii) the UK Extension to the EU-U.S. DPF (collectively, the ”Data Privacy Framework”) as set forth by the U.S. Department of Commerce. Maze has certified to the U.S. Department of Commerce that Maze adheres to (i) the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the EU in reliance on the EU-U.S. DPF, and (ii) from the UK (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF (collectively, the “DPF Principles”). If there is any conflict between the terms in this privacy policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF), and to view our certification, please visit https://www.dataprivacyframework.gov/.
As described in the DPF Principles (https://www.dataprivacyframework.gov/EU-US-Framework), Maze is accountable for personal data that it receives and subsequently transfers to third parties. If third parties that process personal data on our behalf do so in a manner that does not comply with the DPF Principles, we are accountable, unless we prove that we are not responsible for the event giving rise to the damage. The types of third parties with which we may share your personal data are set out in section 5 of this privacy policy entitled “Information we share with third parties”. The categories of personal data Maze may receive, as well as the purposes for which Maze collects and uses the personal data, are set out in other sections of this privacy policy, including in Annex 1 and Annex 2.
With respect to personal data received or transferred pursuant to the Data Privacy Framework, Maze is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Maze may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
You may have the right to access your personal data and request that we correct, amend, delete it if it is inaccurate or processed in violation of the Data Privacy Framework. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of a third party. To request access to, correction, amendment, or deletion of your personal data, submit a written request to the contact information provided below. We may request specific information from you to confirm your identity.
You may also choose to change personal data or deactivate your account by contacting us using the contact details below. You can also unsubscribe from our marketing communications by following the instructions or unsubscribe mechanism in our marketing e-mails.
In compliance with the DPF Principles, Maze commits to resolve complaints about our collection or use of your personal data. EEA and UK users with inquiries or complaints regarding this privacy policy should first contact us by email at privacy@maze.design, or please write to the following address:
MAZE.DESIGN INC.
800 Menlo Ave, Suite 220
Menlo Park, CA 94025
Maze has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA) with regard to unresolved Data Privacy Framework complaints concerning non-human resource data transferred from the EU.
Additionally, under certain conditions, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. These conditions are more fully described on the Data Privacy Framework website: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2
We may amend this Notice on EU-U.S. Data Privacy Framework and UK Extension from time to time consistent with Data Privacy Framework requirements.
11. Links to third party sites
Our Service may, from time to time, contain links to and from third party websites of our partner networks, advertisers, partner merchants, news publications, retailers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check the individual policies before you submit any information to those websites.
12. Changes to this policy
We may update this privacy policy from time to time and so you should review this policy periodically. When we change this privacy policy in a material way, we will update the “last modified” date at the top of this privacy policy. We may also notify you of any changes to this privacy policy via email if such changes are likely to have an important impact on your privacy, or when we are legally required to do so. Changes to this privacy policy are effective when they are posted on this page.
13. Notice to you
If we need to provide you with information about something, whether for legal, marketing or other business related purposes, we will select what we believe is the best way to get in contact with you. We will usually do this through email or by placing a notice on our site. The fact that we may send notices to you will not stop you from being able to opt out of certain types of contact as described in this privacy policy.
14. Children
The Service is not intended for children below the age of 16, and we do not knowingly collect data relating to such children.
15. Complaints
15.1 If you would like to make a complaint regarding this privacy policy or our practices in relation to your personal information, please contact us using the contact details provided at the end of this privacy policy.
15.2 We will reply to your complaint as soon as we can.
15.3 If you feel that your complaint has not been adequately resolved, please note that applicable privacy law may give you the right to contact your local data protection supervisory authority. Further information about how to contact your local data protection authority is available at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm..
16. Contacting us
Questions, comments and requests regarding this privacy policy are welcome and should be addressed to: privacy@maze.design.