Last Updated: March 30, 2026
At UX Metrics, LLC, we believe trust is earned through transparency. This page details our compliance posture, security practices, and the third-party services we rely on to deliver the platform. For the full legal text, see our Privacy Policy and Terms of Service.
1. GDPR Compliance
UX Metrics processes personal data in accordance with the European Union General Data Protection Regulation (GDPR). When our customers use the platform to conduct UX research, they act as the Data Controller and UX Metrics acts as the Data Processor.
Legal Basis for Processing
- Contract performance: We process customer account data to provide the services you signed up for.
- Consent: Research participants voluntarily choose to take part in studies. Participants do not need an account and remain anonymous by default.
- Legitimate interest: We use aggregated, anonymized analytics to improve platform performance and reliability.
Data Subject Rights
If you are located in the EU/EEA, you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate or incomplete data
- Erase your data ("right to be forgotten")
- Port your data to another service
- Restrict or object to certain processing activities
- Withdraw consent at any time without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at support@uxmetrics.com.
Data Processing Agreement
A Data Processing Agreement (DPA) is available for customers who require one under GDPR. You can review and download our standard DPA here.
2. CCPA Compliance
UX Metrics complies with the California Consumer Privacy Act (CCPA). If you are a California resident, you have the right to:
- Know what personal information we collect and how it is used
- Delete your personal information
- Opt out of the sale of personal information
- Non-discrimination for exercising your privacy rights
UX Metrics does not sell personal information to third parties. We never have and never will.
To submit a CCPA request, email support@uxmetrics.com.
3. Subprocessors
We use the following third-party services ("subprocessors") to operate the UX Metrics platform. Each is bound by data processing agreements and industry-standard security practices.
| Service |
Purpose |
Data Processed |
Location |
| Render.com |
Application hosting |
All application data in transit and during processing |
US |
| Neon.tech |
PostgreSQL database |
All stored data (accounts, studies, participant responses) |
US |
| Cloudflare |
DNS, CDN, object storage (R2) |
All network traffic; uploaded files (images) |
Global |
| Stripe |
Payment processing |
Billing details, subscription status |
US |
| Postmark |
Transactional email |
Email addresses, email content |
US |
| Google |
OAuth authentication, Analytics |
Email address (OAuth); anonymized usage data (Analytics) |
US |
| OpenAI |
AI inference |
Study data submitted for AI-powered analysis |
US |
| Anthropic |
AI inference |
Study data submitted for AI-powered analysis |
US |
We will update this table when subprocessors change. If you need advance notice of subprocessor changes, contact us to be added to our notification list.
4. Data Handling Practices
Encryption
- In transit: All connections are enforced via TLS at the Cloudflare edge. No unencrypted HTTP traffic reaches our servers.
- At rest: All database storage is protected with AES-256 encryption provided by Neon.tech infrastructure.
Data Storage
- Database: PostgreSQL hosted on Neon.tech (US region) with automated backups.
- File uploads: Images and uploaded files are stored on Cloudflare R2 with secure, non-guessable URLs.
- Payment data: Handled entirely by Stripe. We never store credit card numbers on our infrastructure.
Data Retention
- Account data is retained while your account is active.
- Study data and participant responses are retained as long as the study exists.
- When you delete your account, all associated data is permanently removed.
- You can delete individual studies at any time, which removes all associated participant response data.
No Data Selling
UX Metrics never sells, rents, or leases customer data or research participant data to any third party. Period.
5. Security Overview
Authentication & Access
- Password security: All passwords are hashed using bcrypt with strong work factors.
- OAuth: Google OAuth is available as a secure single sign-on option.
- Multi-factor authentication: TOTP-based MFA is available for additional account security.
- Session management: Sessions use encrypted cookies with secure, HttpOnly, and SameSite attributes.
Access Controls
- Workspace-level: Role-based permissions (owner, admin, member) control access to team resources.
- Folder-level: Granular permissions (manager, editor, viewer) restrict who can modify studies and view results.
- Study visibility: Studies are only accessible to team members with appropriate permissions and to participants with a direct link.
Infrastructure Security
- Hosting: Render.com provides SOC-2 compliant application hosting with automated security patching.
- Network protection: Cloudflare provides WAF (Web Application Firewall), DDoS mitigation, and bot management at the edge.
- CSRF protection: All form submissions are protected against cross-site request forgery.
Participant Privacy
- Research participants do not need an account to participate in studies.
- No personally identifiable information (PII) is collected from participants by default.
- No cross-site tracking cookies are placed on participants.
- PII is only collected if the researcher explicitly configures demographic or screening questions that request it.
6. Contact
For questions about our security practices, compliance, or to report a vulnerability: