Qlik Product Privacy Notice
How Qlik manages privacy in its products
Qlik realizes that privacy is a significant priority for customers and users of our offerings. Qlik takes our privacy obligations seriously and adheres to data privacy laws, including by implementing both security-by-design and privacy-by-design practices in our products, as well as our development processes. We believe in communicating in an open, transparent manner about the ways in which user data is collected and used, in particular any personal data relating to an identifiable person (“Personal Data”), and respecting customers’ and users’ choice and control over their Personal Data.
- Scope of this Notice
- Qlik product deployment options
- Qlik Cloud
- Qlik Client-Managed Deployments
- Sharing of download/usage data
- Qlik as a Data Processor on behalf of customers
- Qlik applications for mobile devices
- Privacy compliance at Qlik & other information
1. Scope of this Notice
This Qlik Product Privacy Notice (the "Notice") addresses how Personal Data is processed by QlikTech International AB and its affiliates (“Qlik”, “we” or “us”) within the Qlik product portfolio. Specifically, this Notice:
A. informs users of our products about Personal Data collection and use from their use of our products, in Qlik’s capacity as Data Controller (as defined under applicable privacy laws, such as the EU GDPR);
B. provides information useful for customer’s privacy related choices, e.g., Qlik Cloud regions; and
C. describes, in general terms, Qlik’s role as a Data Processor (as defined under applicable privacy laws, such as the EU GDPR) where we may process customer data on a customer’s behalf (“Content Data”). This Content Data may include, if the customer chooses to include in it, Personal Data. If your organization has a written agreement with Qlik governing Qlik’s processing of Content Data containing Personal Data, such as the Qlik Data Processing Addendum, then that agreement applies with regard to its subject matter.
For privacy information relating to Qlik’s other activities, such as our websites, please see the Qlik Privacy & Cookie Notice.
2. Qlik Product Deployment Options
Customers may choose to deploy Qlik's products on-premise or on customer's cloud provider of choice (in either case, "Client-Managed Deployment"), or by utilizing a cloud hosted solution provided and managed by Qlik (“Qlik Cloud”). Some Qlik products may be deployed as a Client-Managed Deployment and on Qlik Cloud. Further information regarding deployment options for Qlik products can be found on help.qlik.com. For confirmation of how your Qlik product is deployed, you should contact your organization's systems administrator/IT department.
3. Qlik Cloud
A. What user Personal Data is processed by Qlik when a user uses Qlik Cloud?
i. Personal Data: Qlik is the Data Controller of user Personal Data collected and processed by us to administer, maintain and improve our products and services. When using Qlik Cloud, user data processed may include (i) licence/tenant activation and consumption data, (ii) authentication data such as usernames and passwords (e.g., when using Qlik Account, not the customer’s own IdP), (iii) technical data from interacting with Qlik Cloud, such as IP address, and (iv) usage data such as frequency of log-in, feature usage, usage per day, etc. Such data may be Personal Data where it is associated with or contains your name or other identifiers. You may also provide contact details (e.g., name, work email, work phone number, employer organization, job title), for example when completing a feedback form or otherwise contact us in-product.
ii. Uses of Personal Data: Qlik processes Personal Data described above for the uses set out below.
(a) Operate Qlik Cloud: We may process your Personal Data to ensure the availability and quality of Qlik Cloud (e.g., authentication). We do this to carry out our contract with you/your organization under the applicable terms.
(b) Qlik Services: We may process your Personal Data to provide you with Qlik services, such as Support and/or Consulting services. We do this to carry out our contract with you/your organization under the applicable terms.
(c) Customer success & adoption: We may process your Personal Data for customer success purposes to assist customers and users in improving their use of Qlik Cloud, for example by making tailored suggestions and delivering insights to customers/users based on their interaction with our offerings. We may also use this data to enhance conversations with existing customers by providing Qlik account teams with greater context and background regarding how customers deploy and use our offerings. We do this to carry out our contract with you/your organization under the applicable terms and for our legitimate business interests in ensuring customers improve/maximize their use of our offerings.
(d) Communication: We may process your Personal Data to contact you if you complete a feedback form in the product and ask to be contacted by us. We process Personal Data for this purpose for our legitimate interest in reviewing your submission and to fulfil/respond to your request.
(e) Improve our offerings: We may process your Personal Data to analyze use of our products and services (e.g., reviewing trends and which features are popular) to improve these. We do this for our legitimate interest in improving our offerings.
(f) Security & compliance: We may process user Personal Data for our legitimate interests in ensuring the security of our offerings, for example to monitor for suspicious activity, and for compliance purposes, such as to review compliance with the applicable usage terms (e.g., validate licensed user numbers) and to comply with our legal obligations (e.g., regarding restricted/denied party lists).
While certain uses of Personal Data may require it to be individualized (e.g., for authentication), Personal Data identifiers are typically removed by Qlik where the data is used for other purposes (e.g., when using statistical data to analyze usage trends to improve our offerings).
B. When is Qlik a Data Processor of customer Content Data within Qlik Cloud?
Subject to our Data Processing Addendum, Qlik would be a Data Processor of any Personal Data within Content Data of a customer while it resides within Qlik Cloud. For further information, please see Section 6 below.
C. Where is Qlik Cloud hosted?
Customers can choose at the time of tenant creation the region of their tenant, and consequently, where their Qlik Cloud Content Data will reside. Qlik Cloud currently has four (4) regions: United States, Ireland, Singapore or Australia. Backups of Qlik Cloud are stored in-region in the US, EU and APAC. For customers using self-hosted software, such as Qlik Forts, any Content Data within such self-hosted software will reside on-premise with the customer. For further information on Forts, see the Qlik Cloud technical overview.
D. Can I choose to keep my Qlik Cloud Content Data in my region (e.g., can EU customers ensure their Content Data does not leave the EU)?
When you create a new Qlik Cloud tenant, you can select any of the available regions to store your Content Data (e.g., apps), such as the EU. Customers maintain control over and are responsible for the access to and disclosure of their Content Data, through permissions and access granting. Please note that certain Content Data may be visible to users within your organization that you have chosen to grant heightened access to (i.e., admins). For further information, please see help.qlik.com resources regarding permissions/roles. While customer Qlik Cloud Content Data is hosted in the selected region, Qlik Cloud Content Data will leave your region if you:
i. share/transmit your Content Data with users outside your region, e.g., invite into your tenant a colleague in a different region; and/or
ii. invite into your tenant or otherwise share/transmit your Content Data with Qlik team members to perform Qlik services, such as Qlik Support or Consulting. For further information, please see Section 6 below.
For queries relating to international transfers of customer Content Data and Qlik’s approach to the Schrems II decision, please see our Schrems II FAQ.
4. Client-Managed Deployments
What data is sent to Qlik by virtue of a customer using a Client-Managed Deployment?
A. License Activation:
i. Data Analytics products: When a Client-Managed Deployment is implemented for Data Analytics products, it may be activated using a License Enabler File (LEF) or Signed Licence Key (SLK). As part of the activation process, the user is required to provide information such as license key number, owner organization and owner (activator) name to Qlik via the applicable Client-Managed Deployment for verification and forensic purposes. This information, together with other product-specific non-Personal Data (e.g., product version, user agent) and the IP address of the device initiating the activation request, is transmitted from the Client-Managed Deployment to Qlik at the time of initial activation and on such future occasions when the product needs to download an updated LEF file (e.g., when additional purchased user licenses are activated). Customers may use one of two systems to activate licenses; Signed License Key (QLS) method or the Serial/Control Number. More information regarding QLS can be found here. For licence/entitlement purposes, Qlik may also receive basic Personal Data (e.g., username, work email, IP address) of the user. QLS periodically sends to Qlik license usage metrics data (for more information please see here). As part of this process, Qlik receives IdP names of users (which may not be Personal Data, however the content of these is controlled by the customer), which Qlik immediately anonymizes, in order to quantify and audit licence usage.
Qlik processes licence data to (i) deliver our offerings and manage our relationship and contract(s) with our customers (e.g., licence forensics, quantification and audit), (ii) provide Qlik services (if relevant), and (iii) for customer success purposes to assist customers and users in improving their use of our products. Our lawful bases for processing this information are to carry out our contract with you/your organization under applicable terms and for our legitimate interests in managing access to and improving our offerings and customers’ use of these.
ii. Data Integration products: To activate a Client-Managed Deployment of a Data Integration product a license document provided with purchase needs to be locally registered with the product. The license document identifies technical details, such as machine or network restrictions and the name of the licensed organization unit. No information (including Personal Data) is transmitted to Qlik in this process.
B. Authentication: Authentication is a process that happens on a per-user basis, once per usage session. Once logged in, the user does not have to authenticate again until the session that tracks the user has timed out or the user chooses to actively log out. The purpose of this authentication process is to verify the identity of the user for governance purposes. Authentication differs from authorization; authentication determines whether a user can access the Client-Managed Deployment at all, whereas authorization determines what the user, once authenticated, can see or do (as determined by the customer’s system administrator (“Admin User”)). Qlik does not receive this data for Client-Managed Deployments.
Type of Qlikmetric
When sent to Qlik?
System data such as CPU, RAM, language setting, operating system and version, Qlik product version, screen size and resolution.
On each install, version upgrade or repair
User behaviour data within Qlik Sense applications such as mouse movements, what options are clicked, actions taken by the user, visited areas in the product, view states (analysis, edit, insights), features used or not used.
In real time
Qlik uses Qlikmetrics for analytics purposes so we may better understand the technical environments in which our software is installed and the behavior of users in our products so that we may optimize, support and improve our offerings. Qlikmetrics is identifiable on a customer (i.e., company name) level but is generally anonymized on an individual (user) level (with the only unique identifier typically being IP address) and is analyzed on a macro, statistical (deidentified) basis only. Users have the ability at the time of installation/upgrade to opt out of Qlikmetrics. Thereafter, users can later opt out if they so wish by changing the setting in the Qlik Management Console ("QMC"). Further, Admin Users, on behalf of their entire organization, can opt out their entire organization by changing the setting in the QMC. We process any Personal Data within Qlikmetrics for our legitimate interest in improving our offerings.
D. Qlik Log Files & Support data
i. What are Log Files?
Client-Managed Deployments collect operational data, consisting largely of non-personal statistical, demographic and usage data generated by the Qlik product, in log files ("Log Files") that can later be used for auditing, monitoring and troubleshooting. These Log Files may include metadata such as user IDs, which could contain basic Personal Data. For Qlik Data Integration products, while the content of the Log Files varies significantly depending on customer-specified logging configurations, it often includes information of servers, network addresses, databases, tables and similar technical data. When the highest level of logging is enabled for Qlik Data Integration products, the Log Files may contain fragments of the data processed by the products, including Personal Data.
ii. Are Log Files sent to Qlik?
Typically, no. Log Files are saved locally within the customer Client-Managed Deployment. However, a customer can send Log Files and other data to Qlik to assist with troubleshooting/support issues. Any data sent to Qlik Support is processed only to resolve the support issue, is kept securely and is subject to our access and data retention policies. We recommend that our customers treat Log Files and any other data content sent to Qlik for troubleshooting/support issues in accordance with IT best practices pertaining to security and access permissions. For further information on Qlik’s role as a Data Processor on behalf of customers for Support Content Data, please see Section 6 below.
Where a customer uses offline mode for QLS, the customer is required to periodically send Log Files to Qlik to identify the number of users of the licenses. Most Qlik product Log Files when provided to Qlik do not contain any Personal Data; they typically contain technical data such as server and network information. In line with data minimization best practices, Customers should review any Log Files or similar transmissions before sending to Qlik to remove any Personal Data content. In the event that Qlik receives Personal Data content within Log Files for user number verification, we process this data pursuant to our contract with you/your organization under the applicable terms and for our legitimate interest in auditing licence numbers. Client-Managed Deployments may be configured via administrative settings to adjust what data is captured in their Log Files. Documentation on Log Files by product type is available on help.qlik.com.
5. Sharing of download/usage data
For both Client-Managed deployments and Qlik Cloud, Qlik may share with your organization/employer your usage (e.g., licence activation) and download (e.g., patch) data relating to Qlik offerings in order to assist your organization in managing its Qlik offerings. Qlik may also share such information with our affiliates to perform our services and/or operate our products, as well as with third party service providers in order to operate our business. For further information sharing of Personal Data, please see the Qlik Privacy & Cookie Notice.
6. Qlik as a Data Processor on behalf of customers
The information below describes when Qlik is a data processor on behalf of our customers. If your organization is a party to the Qlik Customer Agreement (“QCA”), this incorporates our Data Processing Addendum which, subject to its terms and receipt by Qlik, enables your organization to provide Qlik with Personal Data within your Content Data to process on your organization’s behalf, both for Qlik Cloud and/or Qlik services, such as Support or Consulting.
A. Qlik Cloud:
i. Qlik Cloud Content Data: Qlik is the Data Processor of Personal Data within customers’ Content Data while it resides in Qlik Cloud. While customers may input Personal Data under these terms into Qlik Cloud, our terms prohibit the input into Qlik Cloud of PHI, PCI or any other Personal Data subject to industry-specific regulation. For further information please see the QCA and the Data Processing Addendum. Please note that Content Data inputted into Qlik Cloud is solely controlled by the customer.
ii. Self-Hosted Software: For customers using self-hosted software, such as Qlik Forts, any Content Data within such software will reside on-premise with the customer and not within Qlik Cloud; as such Qlik would not be a Data Processor of such Content Data. For further information on Forts see the Qlik Cloud technical overview.
iii. Qlik Cloud Hybrid Data Delivery: Customers may use Qlik Cloud's Hybrid Data Delivery service to stream Content Data from on-premise or in a client-managed cloud to Qlik Cloud or another 3rd party cloud destination of the customer's choosing. Such Content Data may be transferred via a landing zone (managed and controlled by the customer) where it is transformed to make it analytics-ready and usable with Qlik's offerings. Content Data streaming via Qlik Cloud Hybrid Data Delivery is configured and triggered by the customer. Qlik will only host the Content Data (and be a Data Processor of any Personal Data within it) transferred via Qlik Cloud's Hybrid Data Delivery service if (a) the destination chosen by the customer is Qlik Cloud, or (b) where the customer configures Qlik Cloud Hybrid Data Delivery to temporarily route the Content Data via Qlik Cloud (and only while it is held within Qlik Cloud).
iv. Qlik Cloud Content Data Access and Use by Qlik: For Qlik Cloud, customers and their users control who has access to their Content Data shared through their personal spaces and tenant, which may be controlled via the customer’s identity provider (e.g., IdP). Under our policies and controls, Qlik team members do not access a customer's Content Data in their Qlik Cloud tenant unless (a) the customer/user actively shares it with someone at Qlik by invitation into the tenant (e.g., for Consulting or Support services), or (b) the customer/uses removes such Content Data from Qlik Cloud and otherwise sends it to Qlik (e.g., in a Support ticket on Qlik Community). Only a specific, limited group of Qlik employees can access individual user content to troubleshoot, following an explicit invitation by the customer, and only under strict controls.
v. Data Retention of Content Data: Users may at any time during their subscription delete their Content Data. Once deleted by the user, all information hosted by Qlik in that application is deleted, with back-ups deleted after a period of time in line with our internal data retention rules. For dormant Content Data (i.e., applications within accounts that have been inactive for over 12 months), Qlik may delete such Content Data. Likewise, Qlik Cloud accounts that are inactive for more than 12 months may be deactivated by Qlik.
B. Qlik Client-Managed Deployments
Qlik is not typically a Data Processor for customers of Client-Managed Deployments. This is because any Content Data a customer chooses to put into or create in the Qlik Client-Managed Deployment stays on the customer's system(s). Qlik does not host, access or otherwise process this Content Data; therefore, the customer, and not Qlik, is the Data Controller (and the Data Processor, where relevant) of this Content Data in data protection law terms. It is therefore not typically necessary for customers to enter into a data processing agreement with Qlik for Client-Managed Deployments, unless the customer wishes to share with Qlik for Qlik Services (see 6 C below) Content Data containing Personal Data elements.
C. Qlik Services
When Qlik provides Support or Consulting services to a customer, customers may choose to share Content Data (from Qlik Cloud or a Client-Managed Deployment) with Qlik, which may contain Personal Data. Such sharing, and whether the Content Data contains any Personal Data, is at the discretion and control of the customer. Personal Data aspects within Content Data, in particular for Qlik Support, should be anonymized or minimized by the customer as per privacy law data anonymization/minimization best-practice prior to sharing with Qlik, for example before upload to the support portal on Qlik Community.
Please note that Content Data provided to Qlik for Support or Consulting services may leave the customer’s region. This is because, while Qlik Support is generally provided in-region to customers, Qlik’s Support model is 24/7/365 (“follow-the-sun”) in order to provide continuous support to our customers. As such, Support tickets may be dealt with by Qlik team members outside the customer’s region and Support Content Data may be stored/accessible outside of the customer’s region. For Qlik Consulting, while our Consulting team members tend to primarily service customers in the same region, again to best serve our customers, we may rely on Consulting resources and systems outside of the customer’s region. Further information is available in our Schrems II FAQ.
Qlik uses third party subprocessors in relation to Qlik Cloud and Qlik services Content Data. You can find a list of Qlik’s subprocessors on Qlik Community. Qlik’s responsibilities relating to subprocessors are set out in our Data Processing Addendum.
7. Qlik applications for mobile devices
A. Analytics & Diagnostic Data: Qlik mobile applications for mobile devices available through device stores and other sources (collectively, "Qlik Mobile App(s)") may collect and send to Qlik analytics data and/or diagnostic data. Analytics data is data about the usage of features within Qlik Mobile Apps and users can deactivate this analytics data collection in the Qlik Mobile App settings. Qlik may collect analytics data so that Qlik can optimize, improve and promote its products. This analytics data does not include Content Data but may include a user ID (which is anonymized when such data is used for feature/usage analytics purposes). Qlik processes this data for our legitimate interest in improving our offerings. Diagnostic data can be sent by Qlik Mobile App users to Qlik and is not collected automatically by us. This takes two forms: simple diagnostic data and detailed diagnostic data. Simple diagnostic data includes errors, warnings and info messages. Detailed diagnostic data also includes de-bugging information. Neither simple nor detailed diagnostics includes any Content Data and they do not include any Personal Data. Users can activate or deactivate the "detailed" form of diagnostics in the Qlik Mobile App settings. Qlik will not receive any diagnostics data unless a user actively sends this to Qlik, such as by contacting Qlik Support. Qlik processes any diagnostics data to provide technical support and improve Qlik Mobile Apps.
B. Sharing of Content Data within Qlik Mobile Apps: Qlik Mobile Apps may download customer Content Data from relevant customer Qlik data sources (e.g., Qlik Cloud, Client-Managed Deployments) onto their relevant Qlik Mobile App on their device. Authentication and authorization to such data is controlled by customers and their users. Qlik cannot access Content Data within a user’s Qlik Mobile App and Qlik will not receive such content unless explicitly shared by the user with Qlik. Depending on the location of the customer user device and use of certain features, such as push notifications, such Content Data stored in the Qlik Mobile Apps may leave the relevant region of the customer.
8. Privacy compliance at Qlik & other information
A. Privacy-By-Design and Privacy-By-Default in products: Qlik has implemented Privacy-By-Design and Privacy-By-Default protocols that take privacy concerns into account as a native component of its R&D/Product development process. One example of this is the way Qlik Sense addresses access rights to Qlik applications ("apps") created within the platform: unless the creator of the app or someone with administrator rights affirmatively grants access to the app to other users, by default only the creator of the app will have access to it.
B. Lawful bases for processing: Qlik will only collect Personal Data where it is necessary to perform the relevant processing activity and will ensure it is protected by suitable access, retention and other controls. Qlik processes Personal Data as a Data Controller in compliance with privacy laws and uses Personal Data described in this Notice chiefly to provide, maintain and improve our offerings, as well as to comply with legal requirements. The lawful bases under which we process any Personal Data are outlined above, such as to carry out our contracts (e.g., deliver and administer our offerings), our legitimate business interests (e.g., to improve our offerings, to protect our legal or proprietary rights) and/or to comply with legal obligations (e.g., ensure lawful use of our offerings). We may also process Personal Data for other reasons permitted or required by applicable law.
C. Security: Qlik Cloud Content Data is encrypted at-rest. Security details of Qlik Cloud are further set out in our Qlik Cloud technical overview and information relating to Qlik’s security program can be found on our Security Trust page.
D. International Data Transfers: For Personal Data which Qlik is a Data Controller of, Qlik has in place relevant agreements and protections to protect Personal Data. These may include, for example, data protection agreements supplemented, where necessary, by additional protections such as the UK/EU Standard Contractual Clauses to ensure the lawful transfer of Personal Data by Qlik within our international group of companies and with relevant third parties (e.g., service providers). For our measures in relation to Personal Data for which Qlik is a Data Processor (e.g., subprocessors), please see our customer Data Processing Addendum.
E. Further Privacy Information: For further information relating to security, the sharing of any Personal Data, data retention, how we protect Personal Data, children's privacy, as well as data subject rights, please see our Qlik Privacy & Cookie Notice and Trust resources.
F. Contact: Qlik’s Data Protection Officer and privacy team may be contacted at firstname.lastname@example.org or through the contact details provided in our Qlik Privacy & Cookie Notice.
Full list of links used in this Notice:
The information in this Notice is accurate as of 25th April 2022. Qlik reserves the right to make changes from time-to-time to the privacy practices of its products and services and you are encouraged to check this Notice for future updates. This Notice may also be supplemented by further privacy disclosures made available at the time of collection/processing. This Notice is for information purposes only and does not form part of customer contractual terms.