Data Privacy Overview
Zapier takes the protection of our customers’ information seriously and is committed to complying with applicable data privacy laws, including GDPR, UK GDPR, and CCPA, when providing services to our customers. Data privacy is a collaborative effort, and Zapier is also committed to ensuring that you can use Zapier services while complying with your obligations under applicable data privacy laws. This page is designed to help you with your data privacy obligations by providing information about Zapier’s data protection practices and the choices that you have regarding the data processed by Zapier when you use Zapier services.
Privacy Compliance at Zapier
Zapier has ongoing processes to protect your data and privacy rights:
EU-US Data Privacy Framework (DPF) Program
Zapier has certified our compliance with the EU-US Data Privacy Framework (DPF), the UK Extension, and the Swiss-US DPF as set forth by the US Department of Commerce. You can confirm Zapier's certification and participation via the participant list page (search for "Zapier") on the Data Privacy Framework Program website.
Legal Review
Zapier collaborates with legal and other professional counsel to understand its role under both current and proposed data privacy laws and regulations such as GDPR, UK GDPR, and CCPA.
Zapier regularly reviews and periodically updates its Privacy Policy, Data Processing Addendum, and Terms of Service with respect to compliance with such data privacy laws and regulations.
Internal Data Audits
Zapier periodically reviews the types of data that it collects, the reasons for collecting that data, and when Zapier personnel might need to access it.
Vendor Audits
Zapier audits its vendors, both at the time of onboarding and thereafter, to ensure that they adhere to data privacy laws/regulations and sign all relevant Data Processing Addendums.
Communications
Zapier documents pertinent changes in its privacy compliance practices. Customer and partner notification occurs via email, this webpage, and the updates blog. Zapier also maintains an FAQ below that may be useful to review.
Ongoing Process Changes
Zapier continues to refine processes for how it performs customer support, builds services, and handles data. This includes internal documentation, training, and other processes.
Customer Content
For Customer Content (content transferred in and out of Zaps or other Zapier services), you, the customer, are considered the “data controller” of that data from a privacy perspective.
In turn, Zapier is the “data processor” responsible for safeguarding Customer Content as it flows through Zapier’s systems. Zapier’s security measures are described on Zapier’s Security and Compliance page.
As data controller, you are responsible for safeguarding Customer Content as you interact directly with services integrated with Zapier. You should configure your Zaps and integrations to not trigger or work with other users' data without proper consent.
Read more about your role and Zapier’s role in privacy compliance.
Data Privacy FAQ
Where does Zapier store data?
Zapier hosts data in AWS servers located in the United States, including customers’ personal data and the data that is processed on behalf of customers.
How long is data stored in my Zapier account for?
Please review our Data Retention/Deletion/Export page for information about Zapier's data retention/deletion practices.
Why is data stored in my Zapier account for between between 29 to 69 days?
This is due to Zapier’s data retention policy for your Zapier account:
- On the first Monday of each month, Zapier deletes old Zap Content and Zap History from your Zapier account.
- At that time, Zapier only retains Zap Content and Zap History from the current and previous month.
Before Zapier deletes your data on the first Monday of the month, Zapier retains up to 69 days of Zap Content and Zap History in your Zapier account. This includes:
- Data from up to 7 days of the current month (depending on when Monday falls).
- Data from the last month (up to 31 days).
- Data from two months ago (up to 31 days).
After Zapier deletes your data on the first Monday of the month, Zapier retains at least 29 days of Zap Content and Zap History in your Zapier account. This includes:
- Data from at least 1 day of the current month's data (depending on when Monday falls).
- Data from the past month (at least 28 days).
Here is an example of how this process works:
- On Sunday, March 3, your Zapier account contains data from January (two months ago), February (last month), and March (current month).
- On Monday, March 4, Zapier deletes your old account data from January (two months ago) but continues storing data from February (last month) and March (current month).
Note: Customers on Company or Enterprise plans can set a custom data retention period of between 7 to 30 days for data held in their Zapier account.
Is there an option to have my data stored only within the EU?
Zapier does not support this option.
Can EU-based customers transfer EU personal data to Zapier?
Yes. In July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. It concluded that the US ensures an adequate level of protection, compared to that of the EU, for personal data transferred from the EU to US companies participating in the EU-US Data Privacy Framework.
In turn, Zapier has certified our compliance with the EU-US Data Privacy Framework (DPF), the UK Extension, and the Swiss-US DPF as set forth by the US Department of Commerce. You can confirm Zapier’s certification and participation via our Participant Detail page on the Data Privacy Framework Program website.
Does Zapier have a Data Transfer Impact Assessment that I can review?
Yes, please review our Data Transfer Impact Assessment page for more information about international data transfers to Zapier.
Does Zapier sell or market my data to third parties in any way?
No, Zapier does not sell or market your data to third parties.
Where can I find Zapier's DPA? And, will Zapier sign my company’s DPA?
You can find Zapier's DPA on our Data Processing Addendum page.
Zapier can’t sign DPAs from other companies. However, our DPA should be sufficient in any customer relationship with Zapier. Zapier’s DPA contains Standard Contractual Clauses (SCCs) for EU data and includes terms specific to how Zapier’s platform works.
Does Zapier use subprocessors?
Yes, Zapier engages with third-party subprocessors and Zapier affiliates to help provide services to our customers. Please review our Subprocessors page for more information.
Does Zapier have a vetting process for its subprocessors?
Yes, all of Zapier’s subprocessors have undergone an internal legal and security review to assess how customer information is protected, from both privacy and security perspectives.
Does Zapier have EU and UK Representatives?
Yes, Zapier has EU and UK representatives. Individuals and the data protection supervisory authorities in the EU/EEA and individuals and the data protection supervisory authority in the UK may also contact our data protection representatives according to Article 27 GDPR:
EU Representative:
DP-Dock GmbH, Attn: Zapier Inc.. Ballindamm 39, 20095 Hamburg, Germany
UK Representative:
DP Data Protection Services UK Ltd., Attn: Zapier Inc., 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom
Website: www.dp-dock.com
Email: zapier@gdpr-rep.com
Can I use Zapier with healthcare/medical data? And/or, will you sign my company’s BAA?
The use of regulated healthcare and medical data including Protected Health Information (PHI) under HIPAA isn't supported on Zapier. Zapier also can’t sign business associate agreements (BAAs) or equivalent agreements for handling PHI or other similar information.
What security certifications does Zapier have and/or where can I find more information about Zapier’s security practices?
Zapier has obtained independent third-party auditor certifications with the AICPA’s SOC for Service Organizations, SOC 2 Type 2, and SOC 3. Please review our Security and Compliance page for more information about these certifications and Zapier’s security practices.