Product
Research-Backed UX Insights
150,000+ hours of UX research
UX Best Practice Guidelines
Over 700 UX Guidelines
UX-Ray 2.0
beta
Identify Your Biggest UX Opportunities
UX Design Examples
200,000+ Structured Design Examples
UX Benchmarking
Measure and Compare Your UX Performance
Why Baymard?
UX-Query
beta
Figma Plugin
new
Review Tool
Personalized Research
Training & UX Certification
Use cases
Industries
B2C Retail:
Direct-to-Consumer,
Luxury Goods,
Apparel & Accessories,
Footwear,
Jewelry & Watches,
Eyewear,
Home & Hardware,
Electronics & Office,
Mass Merchant,
Furniture & Home Decor,
Health & Beauty,
Sports Gear & Equipment,
Vitamins & Supplements,
Automotive Parts,
Toys, Crafts & Hobbies,
Merchandise & Print-to-Order,
Pet Food & Care,
Video Games,
Educational Reading & Books
Subscriptions & Services:
Digital Subscriptions & SaaS,
Telco,
ISP,
Insurance,
Online Learning
Travel & Accommodation:
Travel Accommodations,
Travel Tours & Experience Booking,
Flight Booking & Airlines
B2B:
Components & Machinery,
Medical & Pharma,
B2B Ecommerce,
Digital Subscriptions & SaaS,
Merchandise & Print-to-Order
Food & Consumables:
Online Grocery,
Food Delivery & Takeout,
Beverages,
Meal Kits,
Consumables Subscriptions,
Vitamins & Supplements
Benchmark Your UX Performance
How does your UX performance stack up against industry leaders and competitors?
UX Audit
Resources
Free UX Research
UX Articles
400+ free UX articles based on large-scale research
Benchmarks
320+ top sites ranked by UX performance
UX Design Examples
18,000+ annotated designs for systematic inspiration
Resources
Code samples, demos, and key stats for usability
Search for Research and Resources
Company
About
Methodology
Jobs
Speaking
Pricing

Processing of personal data at Baymard Institute

1 Introduction

1.1 This privacy notice explains how Baymard Institute ApS ("Baymard", "we", "us", "our") processes personal data in various situations. We provide you with this information as we are required to do so under the General Data Protection Regulation (the "GDPR").

1.2 Below, you will find information on the various situations where we process personal data:

When you visit our website (cookies)
When you communicate with us on behalf of customers, business partners etc.
When you are a recipient of direct marketing
When you have a Baymard account
When you use the Baymard application

2 Controller

2.1 Baymard Institute ApS, Kastanie Alle 41, 3520 Farum, Denmark, CVR no. 38748890, acts as a data controller for the processing of personal data in connection with the below mentioned purposes.

2.2 If you have any questions about how we process personal data, please contact us at support@baymard.com

3 Description of the processing

3.1 Below, please find the specific purposes for our data processing, the categories of personal data that we process, the legal basis for such processing, and the retention periods that we have decided (in specific situations, we may defer from our general retention periods in case of e.g., complaints, objections, or other specific situations).

3.2 When you visit our website (cookies)

3.2.1 Purpose: To ensure the functionality and security on our website (necessary cookies).

3.2.1 Categories: To ensure the functionality and security on our website (necessary cookies).Preferred language and region, username and password, the use of our website, including traffic on the pages, time, what you click, pages/products visited, browser type, keywords, IP address, information about device type (computer, smartphone, etc.), as well as the features used.

3.2.1 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in ensuring the functionality and security of our website.

3.2.1 Retention: See our cookie declaration.

3.2.2 Purpose: To compile statistics in order to optimize the user experience on our website and the services we offer (statistical cookies).

3.2.2 Categories: Activity on our website, including location, IP-addresses, browser used, time and date of access, operating system, pages visited, web requests etc..

3.2.2 Legal basis: According to the Danish Executive Order on Cookies we are required to obtain you consent to use cookies for statistical purposes. At the same time we obtain your consent to the processing of your personal data, c.f. Article 6(1)(a) of the GDPR.

3.2.2 Retention: See our cookie declaration.

3.2.3 Purpose: To personalise the browsing experience by saving information about your preferences (preference cookies)

3.2.3 Categories: Login details and information related to comments.

3.2.3 Legal basis: According to the Danish Executive Order on Cookies we are required to obtain you consent to use preference cookies. At the same time we obtain your consent to the processing of your personal data, c.f. Article 6(1)(a) of the GDPR.

3.2.4 Purpose: Tracking website visitors for marketing purposes, including targeted advertising (marketing cookies).

3.2.4 Categories: Activity on our website, including location, IP-addresses, browser used, time and date of access, operating system, pages visited, web requests etc.

3.2.4 Legal basis: According to the Danish Executive Order on Cookies we are required to obtain you consent to use targeting cookies for marketing purposes. At the same time we obtain your consent to the processing of your personal data, c.f. Article 6(1)(a) of the GDPR.

3.2.4 Retention: See our cookie declaration.

3.3 When you communicate with us on behalf of customers, business partners etc.

3.3.1 Purpose: Communicating with you when you represent a customer, supplier or another third party.

3.3.1 Categories: Name and contact information, title, and position. The relationship to the business that you represent.

3.3.1 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing business contacts and fulfilling any agreement, we may have concluded with the company you represent.

3.3.1 Retention: As long as the business relationship exists and up to 2 years after the end of the financial year in which the company account has been deleted.

3.3.2 Purpose: Handling communication via our website contact form.

3.3.2 Categories: Name, email, enquiry type and any other information that you chose to include in the message/communication.

3.3.2 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing communications with you.

3.3.2 Retention: Up to 5 year after the last communication. (Unless a Baymard account is also created by you or your parent organization, then up to 2 years after the company account has been deleted.)

3.3.3 Purpose: Bookkeeping purposes.

3.3.3 Categories: Information stated on invoices such as name and contact details.

3.3.3 Legal basis: Article 6(1)(c) of the GDPR. The legal obligations derive from the Danish bookkeeping legislation.

3.3.3 Retention: Up to 10 years after the end of the financial year to which the invoice, etc. relates to.

3.4 When you are a recipient of direct marketing

3.4.1 Purpose: To send out newsletters (direct marketing).

3.4.1 Categories: Name, email address and any preferences you have given in connection with your subscription.

3.4.1 Legal basis: The consent you have given in accordance with article 6(1)(a) of the GDPR and section 10 of the Danish Marketing Practices Act. You can read more about your right withdraw your consent below.

3.4.1 Retention: Personal data pertaining to our distribution of electronic newsletters will be deleted 2 years after our last newsletter has been distributed to document that we comply with the Danish Marketing Practices, unless you have withdrawn your consent (i.e., unsubscribed) before such time.

3.4.2 If personal data are processed for the purpose of direct marketing, you have the right at any time to object to the processing of your personal data for such marketing, including to object to profiling in so far as it relates to direct marketing. If you object to processing for the purpose of direct marketing, the personal data may no longer be processed for this purpose. Please find our contact information in section 2 above.

3.5 When you have a Baymard account or user

3.5.1 Purpose: Managing Baymard accounts.

3.5.1 Categories: Name, work email, password, company information.

3.5.1 Legal basis: The legal basis for our processing is article 6(1)(f) of the GDPR, as we pursue our legitimate interest in ensuring that you are able to log on to your account as agreed with the company you represent.

3.5.1 Retention: Personal data pertaining to accounts will as a starting point be deleted 2 years after the end of the financial year in which the company account has been deleted.

3.6 When you use the Baymard application

3.6.1 Purpose: To provide you with recommendations on content specifically relevant to you and to provide relevant updates. Along with ensuring security features of the account and fair usage Terms are met.

3.6.1 Categories: Activity in the application, including information on e.g., content and pages visited, features used, duration on each page.

3.6.1 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing our application and providing you with relevant content.

3.6.1 Retention: Personal data pertaining to accounts will as a starting point be deleted 2 years after the end of the financial year in which the company account has been deleted.

3.6.2 Purpose: Managing our chatbot function and commentary/note section

3.6.2 Categories: Account information and other information that you chose to include.

3.6.2 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing our application.

3.6.3 Purpose: Upload images to the application.

3.6.3 Categories: Images you choose to upload.

3.6.3 Legal basis: Article 6(1)(f) of the GDPR, as we are pursuing our legitimate interests in managing our application.

3.6.3 Retention: Images uploaded to the account are managed by the account itself (not the person uploading), and are deleted 2 years after the end of the financial year in which the company account has been deleted.

4 Categories of recipients

4.1 We may process and share your personal data with external partners who process personal data on our behalf (data processors). Such external partners include e.g. providers of hosting services, IT systems and technical assistance with regard to our IT.

4.2 Further, we may share your personal data with suppliers or subcontractors, if relevant in their work, insofar as reasonably necessary for the purposes set out in this privacy notice.

4.3 If necessary, e.g., in relation to any disputes or when we otherwise need external advice, we may disclose information to our advisors, such as auditors and lawyers.

4.4 Additionally, we may share personal data with public authorities such as the police, if necessary in relation to a specific case or dispute or if necessary to comply with our legal obligation.

5 Transfer to third countries

5.1 We transfer your personal data to countries outside the EU/EEA, when making data available to our processors, including the United States.

5.2 Further, some of our processors may use sub-processors located in other countries outside the EU/EEA. You can find lists of such sub-processors via the links below:

5.3 Unless the country in question has been approved by the European Commission as having sufficient level of protection (including companies located in the United States that are covered by the EU-US Data Privacy Framework), the basis for the transfer is the European Commission's Standard Contractual Clauses.

5.4 If you want additional information about our transfer of personal data to third countries, you may make a request for such additional information by contacting us (see above).

6 Your rights

6.1 As a starting point and depending on the specific situations, you have the following rights:

Right to withdraw consent: Where you have given your consent for our processing of your personal data (section 2.4), you have the right to withdraw your consent at any time. You can withdraw your consent by contacting us (see contact details above). If you withdraw your consent, the withdrawal will not affect the lawfulness of processing that has already been carried out based on your consent.
Right of access: You have the right to have confirmed whether collection or processing your personal data has taken place, and, if so, you have the right to request a copy of your personal data in a digital format.
Right of rectification: You have the right to require that we correct any inaccurate personal data, and that we complete incomplete personal data.
Right of erasure: In certain circumstances, you have the right to request that we erase personal data concerning you; for example, if it is no longer necessary for the purposes in which it was originally collected.
Right to restrict processing: In certain circumstances, you have the right to request that we restrict the processing of your personal data, for example, if you believe that the personal data is not accurate or lawfully processed.
Right to object to the processing: In certain circumstances, you have the right to request that we stop processing your personal data.
Right to data portability: In certain circumstances, you have the right to receive the personal data you have provided us with in a structured, commonly used, machine readable format, and the right to have us transmit the data to another entity, where technically feasible.

6.2 You can read more about your rights in the Danish Data Protection Agency's guidelines on data subjects' rights, which is available at datatilsynet.dk (in Danish) and at datatilsynet.dk (in English). Please contact us if you wish to exercise any of your rights. The relevant contact details are stated above.

7 Complaint to a supervisory authority

7.1 If you want to lodge a complaint with a supervisory authority about our processing of your personal data, you can do so by contacting the Danish Data Protection Agency via their website, www.datatilsynet.dk