Qlik Product Privacy Policy

How Qlik manages privacy in its products

With increasing privacy/data protection regulations, in particular the EU General Data Protection Regulation (GDPR), Qlik realises that privacy is a significant concern for its customers and partners. Qlik takes this concern seriously and adhears to data protection laws by implementing both security- and privacy-by- design methods in its development process. This Qlik Product Privacy Policy (the “Policy”) addresses how data privacy is managed within the Qlik product portfolio.

1. Qlik On-Premises Products

This section focuses on QlikView®, Qlik Sense®, Qlik NPrinting®, Qlik GeoAnalytics®, Qlik DataMarket®, Qlik Core®, Qlik Analytics Platform®, Qlik Big Data Index® and Qlik Connectors® on-premise product lines (each, an “On-Prem Product,” and collectively, the “On-Prem Products”).

What Data is sent to Qlik by virtue of a customer using any On-Prem Product?

  1. License Activation: When an On-Prem Product is deployed, it needs to be activated using a License Enabler File (LEF).  As part of the activation process, the user is required to provide information such as license key number, owner organization and owner name to Qlik via the applicable On-Prem Product for verification and forensic purposes. This information, together with other product-specific non-personal information (e.g. product version, user agent) and the IP address of the device initiating the activation request, is transmitted from the On-Prem Product to Qlik at the time of initial activation and on such future occasions where the On-Prem Product needs to download an updated LEF file (when additional purchased user licenses are activated, for example).
  2. Authentication: Authentication is a process that happens on a per-user basis, once per usage session. Once logged in, the user does not have to authenticate again until the session that tracks the user has timed out or the user chooses to actively log out. The purpose of this authentication process is to verify the identity of the user for governance purposes. Authentication differs from authorization; authentication determines whether a user can access the Qlik On-Prem Product at all, whereas authorization determines what the user, once authenticated, can see (as determined by the Administrator user).  Authentication data (i.e. username and password) is only sent to Qlik if the user is authenticated using a Qlik Account (“Qlik ID”), such as when logging into an instance of Qlik Sense Desktop that is not connected to a Qlik Sense Enterprise server.  A Qlik Account is not required for authentication purposes if user credentials are managed by the Qlik On-Prem Product directly or via integration with an Identity Access Management system ; in these scenarios, neither authorization nor authentication data is sent to Qlik.
  3. Usage Data:

    Qlik Sense Mobile and Qlik Sense Enterprise collect installation and usage data as described below.  In these products, data is collected on an anonymized basis.

    1. Qlik Sense Mobile:
      Qlik Sense Mobile is capable of collecting administrative data, statistical and demographical data, and operational information and data generated by a user (but not any personal data or personally identifiable information) so that Qlik may gain optimize, support, improve and promote the product. Users may deactivate and reactivate this collection via the Settings Menu within the product.

    2. Qlik Sense Enterprise:
      Qlik collects system data about your installation of Qlik Sense (“Installation Data”) and user metrics (“Usage Data”) (collectively, “Collected Data”).  More information on these is below.

      Type of Collected Data Example When sent to Qlik?
      Installation Data System data such as CPU, RAM, language setting, operating system and version, Qlik sense version, screen size and resolution. On each install, version upgrade or repair
      Usage Data User data within Qlik Sense applications such as mouse movements, what options are clicked, actions taken by the user, visited areas in the product, view states (analysis, edit, insights), features used or not used. In real time

      Qlik Sense installations have a tool called Qlikmetrics which uses cookies to store Collected Data.  In case of internet connection loss, tracked events are saved locally and resent when the user later regains connectivity.

      Qlik uses the Collected Data for analytics purposes so we may better understand the technical environments in which our software is installed and the behavior of users in our products so that we may optimize, support and improve our products and services.  Any Collected Data received is analyzed on a macro, statistical (not by individual user) basis.  Collected Data is anonymously collected.  As no personal data is collected/processed, privacy laws (e.g. EU GDPR) do not apply to such collection/processing.  Nonetheless, users have the ability at the time of installation/upgrade to opt out.  Thereafter, users can later opt out if they so wish by changing the setting in the Qlik Management Console (“QMC”).  Further, Admin Users, on behalf of their entire organization, can opt out their entire organization by changing the setting in the QMC.

      Please see the Qlik User License Agreement (“QULA”) PDF for more details on what information is collected and why (www.qlik.com\legal-terms) .

  4. Log Files & Support data

    What are Log Files?

    On-Prem Products collect operational data, consisting largely of non-personal statistical, demographic and usage data generated by the Qlik product, in log files (“Log Files”) that can later be used for auditing, monitoring and troubleshooting. These Log Files may include user IDs (which could contain personal data).

    Are Log Files sent to Qlik?

    Typically, no.  Log Files are saved locally within the customer environment.  However, a customer can send Log Files and other data to Qlik to assist with troubleshooting/Support issues.  Any content sent to Qlik Support is processed only to resolve the Support issue, is kept securely and is subject to our access and data retention policies.  It is recommended that Log Files and any other data content sent to Qlik for troubleshooting/Support issues are treated in accordance with general IT best practices pertaining to security and access permissions.

    On-Prem Products may be configured via administrative settings to adjust what data is captured in their Log Files.   For more detailed information on Log Files by product type, please see the links at the end of this Policy.

2. Qlik Sense Cloud® Products

This section focuses on products that operate within Qlik Sense Cloud, which is managed and hosted by Qlik, including “Qlik Sense Cloud Basic,” “Qlik Sense Cloud Plus,” “Qlik Sense Enterprise for Elastic deployments” and “Qlik Sense Cloud Business” products (each, a “Cloud Product,” and collectively, the “Cloud Products”).

  1. What personal data is collected when a customer uses a Cloud Product?

    The only personal data that Qlik will receive is information such as authentication information (e.g. Qlik ID).  Qlik also processes usage/statistical data on use of the Cloud Products to (i) assist with troubleshooting issues, and (ii) on an aggregate, anonymized basis, for analytics purposes to ensure quality of service and improve the products.  In Qlik Sense Enterprise for Elastic deployments, Qlik will only receive this data if and only in relation to that part of the service which occurs on Qlik’s cloud architecture (e.g. not if the service is hosted by the customer or a third party).

  2. Where are the data centres that operate Qlik Sense Cloud?

    Qlik has three (3) networked data centres: Dublin, Ireland; North Virginia, USA; and Sydney, Australia.  Qlik uses Amazon Web Services (“AWS”) architecture to operate the Qlik Sense Cloud service.

  3. Can I choose to keep my Qlik Sense Cloud data in my region (e.g. can EU users ensure their data does not leave the EU)?

    Yes, when you create a new Qlik Sense Cloud Business workspace, you can select any of the above three data centres to store your “at-rest” data.  However, if you choose to share that application with someone outside of that region (e.g. a French user sharing it with a US user) or if you travel and access the app in a different region (e.g. a French user travels to USA and accesses the app from the USA), then the data will leave that region (in the foregoing examples, leave the EU).  This is because it will be viewable from “in-memory” data on a server within the Qlik Sense Cloud in the new region and be transported to the data centre closest to the user.  The reason for this is for performance experience of the user/recipient.  The user maintains full control over who they choose to share their apps with, through permissions and access granting.
    Currently, this region-preference server feature is only available for Qlik Sense Cloud Business.  Qlik Sense Cloud Basic does not have this feature and users’ content (regardless of region) is stored in Qlik data centres in the USA.  If you are an EU-based user and wish for your data to be stored in the EU only, you should:

    1. have a Qlik Sense Cloud Business account;
    2. select the Qlik EU data centre (Dublin) as your preference for storing at-rest data;
    3. access the content from the EU only; and
    4. not share the content with any others based outside of the EU.
  4. Content Data Access and Use by Qlik:

    Qlik employees do not access a user’s cloud content unless (a) the user actively shares it with someone at Qlik (e.g. in a Consulting Services context), or (b) Qlik is prompted by a trouble-shooting issue to access the individual content.  Only a specific, limited group of Qlik employees can access individual user content to trouble-shoot and only under strict controls. 

  5. Architecture & Security:
    1. Where are Qlik Sense Cloud products hosted?

      Qlik Sense Cloud products are hosted through Amazon Web Services (“AWS”). You can find the AWS Privacy Policy here: https://aws.amazon.com/privacy/.  A full description of the Qlik Sense Cloud security features can be found here in the Qlik Sense Cloud Security Overview White Paper.

    2. Data retention of content data

      Users may at any time delete their applications and the associated content is controlled by the user.  Once deleted by the user, all information hosted by Qlik in that application is deleted, with back-ups deleted after a period of time in line with our internal data retention rules.  For dormant applications (i.e. applications within accounts that have been inactive for over 12 months), Qlik may delete these applications.  Likewise, Qlik Sense Cloud accounts that are inactive for more than 12 months may be deactivated by Qlik.

    3. Who can access content data?

      For Qlik Sense Cloud subscriptions, all users have control over who has access to apps shared through their personal streams and group owners can control who has access to apps created and shared as part of a work group.

      For Qlik Sense Cloud Basic and Qlik Sense Cloud Plus, apps are not visible to other users until the app creator publishes the app to the user(s) stream. Users control who is invited to view the apps in their stream.

      For Qlik Sense Cloud Business, users can only see an app if they have access to the group workspace and/or if they have access to the stream to which an app is published.  The group owner can control these access rules from the Qlik Cloud Hub, available within the software.

3. Qlik as a Data Processor for customers:

The information below describes when Qlik is a Data Processor and / or Data Controller (as defined under GDPR or analogous legislation).

  1. Cloud:

    Qlik is the Data Controller of personal data collected and processed by Qlik to administer, maintain and improve our Cloud Products, for example authentication data such as usernames and password through Qlik ID, and usage data such as frequency of log-on, usage per day, and traffic/usage per country, etc. which Qlik processes to allocate resources better (e.g. server space) and to better serve Qlik  customers and/or improve Qlik services.  When subscriptions are purchased Qlik maintains, like all businesses, a database of customer and partner contacts for billing, marketing and other ordinary business purposes.  Qlik processes this data in compliance with privacy laws and maintains adequate security protections to protect this data.

    The storing / inputting of personal data content relating to identifiable individuals is not the primary function of Qlik Cloud Products and in conformance with the principle of data minimization and anonymization under GDPR, Qlik does not recommend users insert personal data content into applications in our Cloud Products.  For further information please see the Qlik Cloud Terms of Service.

  2. On-Prem Products

    Qlik is a Data Controller of the information detailed at 1 above (e.g. LEF, authentication, etc.). If a user creates a Qlik Account (e.g. to download Qlik Sense Desktop) or when a customer or partner purchases licences, Qlik does collect basic personal data for which it is the Data Controller.  As is customary, Qlik also maintains a database of customer and partner contact information for billing, marketing and other ordinary business purposes.  Qlik holds this data in compliance with relevant data protection laws and ensures adequate security features are in place around these data types.

    Qlik is not typically a Data Processor for customers of On-Prem Products.  This is because any content a customer chooses to put into or create in Qlik On-Prem applications stay on the customer’s system(s). Qlik does not have access to this content; therefore, the customer, and not Qlik, is the Data Controller and the Data Processor of this content in data protection law terms. Exceptions to this may exist if, when Qlik provides Support or Consulting services to a customer, the customer chooses to share with apps developed within the On-Prem Products which happen to contain personal data.  Such sharing is at the discretion of the customer and the personal data content should be anonymized or minimized by the customer as per privacy law data anonymization / minimization best-practice.  It is therefore not typically necessary for customers to enter into a data processing agreement with Qlik.  For further question on data processing agreements, please contact privacy@qlik.com.

4. Privacy compliance at Qlik

  1. Privacy-By-Design and Privacy-By-Default in products

    Qlik has implemented Privacy-By-Design and Privacy-By-Default protocols that take privacy concerns into account as a native component of its R&D/Product development process.  One example of this is the way QlikView and Qlik Sense address access rights to Qlik applications (“apps”) created within the platform:  unless the creator of the app or someone with administrator rights affirmatively grants access to the app to other users, by default only the creator of the app will have access to it.

  2. General privacy compliance information

    Qlik uses the personal data described above to provide, maintain and improve our products, to resolve technical support issues and to comply with legal requirements.  For further information relating to security, access, the sharing of any personal data as well as children’s privacy, please see the Qlik Website Cookie & Privacy Policy.

5. How can Qlik On-Prem Products help me to comply to the GDPR?

Qlik is aware that compliance with privacy/data protection law, in particular GDPR, is top-of-mind for customers and partners. To that end, there are some useful features in Qlik products that can help you, as the data controller and processor, to comply with EU Data Protection law requirements.  Further information is available at www.qlik.com/gdpr.

6. Resources & Updates

For further information, please contact your usual Qlik contact or CustomerSupport@qlik.com.

Further GDPR information related to Qlik can be found at www.qlik.com/us/gdpr.

For privacy information relating to Qlik’s website and general operations, see https://www.qlik.com/us/legal/cookies-and-privacy-policy


Full list of links used in this document:

https://help.qlik.com/

Qlik Sense Security Overview White Paper: (July 2018)
www.qlik.com/us/resource-library/qlik-sense-security-overview

Qlik On-Prem products
www.qlik.com/legal-terms


Qlik Cloud products

For IT Security related questions (e.g. encryption) you can find information resources on Qlik.com : https://www.qlik.com/us/products/qlik-sense/qlik-sense-cloud

Qlik Cloud’s Terms of Service: https://eu.qlikcloud.com/terms/latest

AWS Privacy Policy: https://aws.amazon.com/privacy/


Further information regarding Log Files:

QlikView https://help.qlik.com/en-US/qlikview/Subsystems/QMC/Content/QMC_System_Setup_QlikViewServers_Logging.htm
Qlik Sense https://help.qlik.com/en-US/sense/Subsystems/PlanningQlikSenseDeployments/Content/Deployment/Server-Logging.htm
Qlik NPrinting https://help.qlik.com/en-US/nprinting/Content/AdministeringQVNprinting/Logging.htm
Qlik Web Connectors https://help.qlik.com/en-US/connectors/Content/Home.htm
Qlik Geoanalytics with QlikView http://bi.idevio.com/wp-content/qlik/qlikview/releases/IdevioMapsForQlikView-5.11.1/user_guide-April_2018.html#What_20data_20is_20transferred_20to_20the_20server_20from_20the_20GeoAnalytics_20connector_3F
Qlik Geoanalytics with Qlik Sense http://bi.idevio.com/wp-content/qlik/qliksense/releases/IdevioMapsForQlikSense-5.11.1/user_guide-April_2018.html#What_20data_20is_20transferred_20to_20the_20server_20from_20the_20GeoAnalytics_20connector_3F
Qlik DataMarket https://help.qlik.com/en-US/connectors/Subsystems/DataMarket_QV_Connector_help/Content/Log-information.htm

Legal Information:

Qlik’s Website Terms of Use: https://www.qlik.com/us/legal/terms-of-use

Qlik Licence Terms: https://www.qlik.com/us/legal/license-terms

Qlik Website Cookie & Privacy Policy: https://www.qlik.com/us/legal/cookies-and-privacy-policy


The information in this document is accurate as of November 2018.  Qlik reserves the right to make changes from time-to-time to the privacy practices of its products and you are encouraged to check this Policy for future updates. This Policy is for information purposes only and does not form part of customer contractual terms.