Data Privacy Overview

Zapier takes the protection of our customers’ information seriously and is committed to complying with applicable data privacy laws, including GDPR, UK GDPR, and CCPA, when providing services to our customers. Data privacy is a collaborative effort, and Zapier is also committed to ensuring that you can use Zapier services while complying with your obligations under applicable data privacy laws. This page is designed to help you with your data privacy obligations by providing information about Zapier’s data protection practices and the choices that you have regarding the data processed by Zapier when you use Zapier services.


Privacy Compliance at Zapier

Zapier has ongoing processes to protect your data and privacy rights:


EU-US Data Privacy Framework (DPF) Program

Zapier has certified our compliance with the EU-US Data Privacy Framework (DPF), the UK Extension, and the Swiss-US DPF as set forth by the US Department of Commerce. You can confirm Zapier's certification and participation via the participant list page (search for "Zapier") on the Data Privacy Framework Program website.


Legal Review

Zapier collaborates with legal and other professional counsel to understand its role under both current and proposed data privacy laws and regulations such as GDPR, UK GDPR, and CCPA.

Zapier regularly reviews and periodically updates its Privacy Policy, Data Processing Addendum, and Terms of Service with respect to compliance with such data privacy laws and regulations.


Internal Data Audits

Zapier periodically reviews the types of data that it collects, the reasons for collecting that data, and when Zapier personnel might need to access it.


Vendor Audits

Zapier audits its vendors, both at the time of onboarding and thereafter, to ensure that they adhere to data privacy laws/regulations and sign all relevant Data Processing Addendums.


Communications

Zapier documents pertinent changes in its privacy compliance practices. Customer and partner notification occurs via email, this webpage, and the updates blog. Zapier also maintains an FAQ below that may be useful to review.


Ongoing Process Changes

Zapier continues to refine processes for how it performs customer support, builds services, and handles data. This includes internal documentation, training, and other processes.


Customer Content

For Customer Content (content transferred in and out of Zaps or other Zapier services), you, the customer, are considered the “data controller” of that data from a privacy perspective.

In turn, Zapier is the “data processor” responsible for safeguarding Customer Content as it flows through Zapier’s systems. Zapier’s security measures are described on Zapier’s Security and Compliance page.

As data controller, you are responsible for safeguarding Customer Content as you interact directly with services integrated with Zapier. You should configure your Zaps and integrations to not trigger or work with other users' data without proper consent.

Read more about your role and Zapier’s role in privacy compliance.

Data Privacy FAQ

Zapier hosts data in AWS servers located in the United States, including customers’ personal data and the data that is processed on behalf of customers.

Please review our Data Retention/Deletion/Export page for information about Zapier's data retention/deletion practices.

This is due to Zapier’s data retention policy for your Zapier account:

  • On the first Monday of each month, Zapier deletes old Zap Content and Zap History from your Zapier account.
  • At that time, Zapier only retains Zap Content and Zap History from the current and previous month.


Before Zapier deletes your data on the first Monday of the month, Zapier retains up to 69 days of Zap Content and Zap History in your Zapier account. This includes:

  • Data from up to 7 days of the current month (depending on when Monday falls).
  • Data from the last month (up to 31 days).
  • Data from two months ago (up to 31 days).


After Zapier deletes your data on the first Monday of the month, Zapier retains at least 29 days of Zap Content and Zap History in your Zapier account. This includes:

  • Data from at least 1 day of the current month's data (depending on when Monday falls).
  • Data from the past month (at least 28 days).


Here is an example of how this process works:

  • On Sunday, March 3, your Zapier account contains data from January (two months ago), February (last month), and March (current month).
  • On Monday, March 4, Zapier deletes your old account data from January (two months ago) but continues storing data from February (last month) and March (current month).


Note: Customers on Company or Enterprise plans can set a custom data retention period of between 7 to 30 days for data held in their Zapier account.

Zapier does not support this option.

Yes. In July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. It concluded that the US ensures an adequate level of protection, compared to that of the EU, for personal data transferred from the EU to US companies participating in the EU-US Data Privacy Framework.

In turn, Zapier has certified our compliance with the EU-US Data Privacy Framework (DPF), the UK Extension, and the Swiss-US DPF as set forth by the US Department of Commerce. You can confirm Zapier’s certification and participation via our Participant Detail page on the Data Privacy Framework Program website.

Yes, please review our Data Transfer Impact Assessment page for more information about international data transfers to Zapier.

No, Zapier does not sell or market your data to third parties.

You can find Zapier's DPA on our Data Processing Addendum page.

Zapier can’t sign DPAs from other companies. However, our DPA should be sufficient in any customer relationship with Zapier. Zapier’s DPA contains Standard Contractual Clauses (SCCs) for EU data and includes terms specific to how Zapier’s platform works.

Yes, Zapier engages with third-party subprocessors and Zapier affiliates to help provide services to our customers. Please review our Subprocessors page for more information.

Yes, all of Zapier’s subprocessors have undergone an internal legal and security review to assess how customer information is protected, from both privacy and security perspectives.

Yes, Zapier has EU and UK representatives. Individuals and the data protection supervisory authorities in the EU/EEA and individuals and the data protection supervisory authority in the UK may also contact our data protection representatives according to Article 27 GDPR:


EU Representative

DP-Dock GmbH, Attn: Zapier Inc.. Ballindamm 39, 20095 Hamburg, Germany

UK Representative

DP Data Protection Services UK Ltd., Attn: Zapier Inc., 16 Great Queen Street, Covent Garden, London, WC2B 5AH, United Kingdom


Website: www.dp-dock.com

Email: zapier@gdpr-rep.com

The use of regulated healthcare and medical data including Protected Health Information (PHI) under HIPAA isn't supported on Zapier. Zapier also can’t sign business associate agreements (BAAs) or equivalent agreements for handling PHI or other similar information.

Zapier has obtained independent third-party auditor certifications with the AICPA’s SOC for Service Organizations, SOC 2 Type 2, and SOC 3. Please review our Security and Compliance page for more information about these certifications and Zapier’s security practices.