Privacy Policy

Effective Date: October 20, 2020
Last Updated: December 2, 2024

Introduction

Rainforest QA (“Rainforest”) understands and respects our users’ need for privacy. This Privacy Notice (“Notice”) describes the types of information we collect, the purposes for which it is used, and the choices you have with respect to its use.

This Notice applies to personal information we collect when you use our Rainforest QA (“Rainforest”) Platform, and the Rainforest website (collectively “Services”). “Personal information” refers to any information that identifies or may potentially identify an individual. This includes your name, email, address, phone number, and other non-public information that is associated with such information. This does not include aggregated or anonymized information. We encourage you to read this Notice in full to understand our privacy practices before using our Services. You can contact us with questions about our privacy practices at privacy@rainforestqa.com.

About Rainforest QA

Rainforest QA is an on-demand Quality Assurance (“QA”) service that provides modern testing for web and mobile apps. Rainforest combines a crowd of human testers (“Tester” or “Testers”) with algorithmic management and virtual machines (“VMs”) to execute web and mobile regression testing for continuous deployment. For more information about our Services, check out the “Features“ section on our website.

This Privacy Notice is organized in the following sections:

  • Scope and Applicability
  • Information We Collect and Receive About You
  • How We Share Your Information 
  • How We Use Your Information 
  • Your Choices
  • Use of Cookies
  • Accessing, Correcting, and Updating Your Information 
  • Data Transfers and Storage
  • How Long We Retain Information 
  • How We Protect Your Information
  • The Children’s Online Privacy Protection Act (“COPPA”)
  • Third-Party Services, Applications, and Websites
  • Changes to this Privacy Notice
  • Our Contact Information

Scope and Applicability

This Notice broadly describes Rainforest’s privacy practices. Some jurisdictions may place additional restrictions on how we process personal information about you and our practices in those jurisdictions may be more restrictive than those described in this Notice.

If you are located in:

  • The European Economic Area (“EEA”) or the United Kingdom (“UK”), please refer to your General Data Protection Regulation (“GDPR”) rights in Appendix A; or
  • California, USA, please also refer to your California Consumer Privacy Act (“CCPA”) rights in Appendix B. 

This Privacy Notice does not apply to:

  • Third-Party Applications, Services, or Businesses: This Notice does not apply to any third-party applications or software that integrate with Rainforest Services or through third-party products, services or businesses. Your interaction with any third-party application or software are subject to that third party's own rules and policies. We encourage you to familiarize yourself with the privacy notices of all websites you visit and interact with.
  • Agreements and Customer Data: This Notice does not apply to information processed through our Platform on behalf of our customers (collectively, “Customer Data”). Rainforest processes Customer Data under the direction of our customers as a “Processor.” 
  • Recruiting and Employment: This Notice does not apply to personal information you provide for recruiting or employment purposes. Please contact us to learn more about our privacy practices related to personal information you provide to us as a job applicant or Rainforest employee.
  • Other Privacy Notices: This notice does not apply when another Privacy Notice is displayed and governs personal information.

Information We Collect and Receive About You

We collect the following information through your use of our Services, and otherwise, with your consent. In some cases, we receive information directly from you, such as your name, the company you work for, and your work email address when you sign up for our Services. We also receive information directly from you when you send us an email inquiry, or when you set up an account as a Tester. In other cases, we receive information through your use of our Services, or through your work as a Tester.

Information You Provide to Us
  • Rainforest account information – We collect personal information about you and your Rainforest account. This information includes your name, address, telephone number, email address, username, User ID, and occupation information, such as organization name and job title, and a profile picture URL (if you are a Tester). You provide this information to us directly during the account registration process. Rainforest requires your name and work e-mail address to create an account.
  • Information you provide at Rainforest-hosted events – When you attend Rainforest-hosted professional education events or conferences, and with your consent, we collect your first and last name, email address, job title, company name, and phone number during the registration process.
  • Information you provide in surveys – For our research purposes, we collect information such as your first and last name, email address, phone number, job title, and company name when you complete Rainforest surveys.
  • Webinars – When attending our webinars online, you provide us with your email address, first and last name, phone number, job title, and position within your company or organization.
Information We Collect Automatically
  • Geolocation information – We collect your geographical location when you interact with our support team through our website chat box.
  • Device information – We collect your browser name and version, operating system, manufacturer, and unique device identifiers, such as your username. We collect this information automatically when you visit our website, use our Services, and/or send us customer service inquiries.
  • Tester information and usage analytics – When you sign up to be a Rainforest Tester, you provide us with your email address, IP Address, browser type, operating system, network connectivity data, your personal image if you have uploaded it using our avatar feature, and testing terminal usage details, such as mouse movements, keystrokes, and the amount of time spent performing a task. We use this information to gauge your performance as a Tester, and to improve our Services. We collect usage details information automatically when you perform testing.  

To learn about your information collection choices and to opt-out of data collection, see the “Your Choices” section below.

Information We Receive from Other Sources

We also collect information about you from other sources, including:

  • Other users of our Services – We receive your first and last name, company name, and work email address from other users when they provide this information to invite you to our Services. Similarly, an administrator may provide your contact information when they designate you as the billing or technical contact on your company’s account, or when they grant you access to your company’s Rainforest account.
  • Other partners – We receive information from third parties such as sales leads and analytic companies to help us find potential customers. We also use third-party service providers to send and distribute e-mail and to perform other marketing and support functions. This includes information such as your name, email address, and phone number.

How We Share Your Information

We share information we collect about you in the ways discussed below. We do not sell information about you to advertisers or other third parties.

Sharing with other users of our Services - When you use our Services, we may share certain information about you with other users:

  • Managed accounts and administrators: If you register or access our Services through an organization such as your employer, certain information about you, including your name, contact info, content, and past use of your account may become accessible to that organization’s administrator or to other individuals with whom the administrator shares access. If you are an administrator for a particular group of users within our Services, we may share your contact information with current or past users, for the purpose of facilitating Services-related requests.

Sharing with third parties – We share information about you with third parties only as described below:

  • Consent provided: We do not currently share your information with third parties for marketing purposes, but if that changes, we will obtain your consent first.
  • External processing: We provide your information to other third parties to help us with our business activities, and to deliver our Services. For example, we use Stripe to process payments. These companies are authorized to use your information only as necessary to provide these services or perform them on our behalf.
  • Mergers and acquisitions: If your personal information is transferred to a party unaffiliated with Rainforest as part of a merger, acquisition, or sale of all or a portion of our assets, we will provide you with notice prior to transferring your personal information to the new entity. Notice will be provided directly through our Services.
  • Legal purposes: We disclose your information when we believe that disclosure is (1) reasonably necessary to comply with any applicable law, regulation, subpoena, legal process, or enforceable governmental request; (2) necessary to enforce the provisions of the Notice; (3) required to enforce our Terms of Service, including investigation of potential violations; or (4) necessary to protect against harm to the rights, property, or safety of Rainforest, our users, or the public as required or permitted by law.
  • Sub-processors – We use sub-processors to operate our Services. For example, we use Amazon Web Services for cloud storage and Intercom for customer support. Our list of sub-processors is:
SubprocessorLocationService
Google Cloud PlatformUSACloud Infrastructure for our platform and services
Amazon Web ServicesUSACloud Infrastructure for our platform and services
PostmarkUSAEmail notifications for our platform
StripeUSACustomer payments
IntercomUSACustomer support
ZendeskUSACustomer support
MixpanelUSABusiness analytics
Attention.techUSACustomer support
HubspotUSACustomer support
CohereUSAProduct analytics
SegmentUSAProduct analytics
DataDogUSAProduct analytics
Google, IncUSASite analytics (web) and customer support (email)
BravadoUSASales enablement

How We Use Your Information

We use collected information to:

  • Communicate with you – We may contact you to respond to your inquiries, requests, and/or send important notices via email. This includes, for example, sending surveys to understand how you are using our services, providing you with customer support, or sending updates about new Service features. See “Your Choices” below to learn how to manage your communication preferences.
  • Provide and improve our Services – We use collected information to provide and analyze how you use our Services, develop new products and services, and improve functionality, quality, and user experience. For more information, see the “Information We Collect and Receive About You” section above.
  • Market our Services – We use collected information to market our Services. We also combine personal information collected on our website with other information we collect online or offline about users to better tailor marketing or website content, including to measure the effectiveness of our advertising, or for other purposes, such as internal research. To learn more about how we track and use your information, see our Cookie Notice.
  • Gauge Tester performance – We use Tester information to gauge your performance, and to improve our Services.
  • Store data – We store data on servers hosted by Google Cloud Platform (“GCP”) and Amazon Web Services (“AWS”) in the United States. We use appropriate technical, administrative, and physical measures to secure your data during storage.

Some of the collected information is necessary for us to deliver our Services to you. If you do not provide this information, we will not be able to deliver our Services to you.

Your Choices

Where appropriate or legally required, we will describe how we use personal information collected, so you can make choices about how your data is used. You can notify us of your preferences during the information collection process and change your selection at any time by contacting us directly.

  • Geolocation – We collect your IP address and geographic location when you inquire about our Services. You can restrict our access to and collection of your location information by disabling location-sharing on your device, located in your device (e.g., mobile phone) settings.
  • Marketing emails – You can choose to stop receiving marketing emails by following the unsubscribe instructions included in these emails, or by using the email address listed in the “Contact Us” section below.

Use of Cookies

We use cookies to collect your personal and other information as you navigate our Services. Cookies help make interactions with our Services easier and faster for our users. For more information about how we use cookies and to learn how to manage cookies and other tracking technologies, see our Cookie Notice.

Accessing, Correcting, and Updating Your Information

You may have certain rights in connection with the personal information we obtain about you. To update your preferences, correct your information, limit the communications you receive from us, or submit a request to exercise your rights, please contact us at privacy@rainforestqa.com.

As required by law, you may have the right to:

  • Request access to certain personal information we maintain about you;
  • Request that we update, correct, amend, erase or restrict certain personal information; and
  • Exercise your right to data portability.

Where our Services are administered for you by an administrator (such as your employer or organization), you may need to first contact your administrator to assist with your requests. For all other requests, you can contact us as provided in the “Contact Us” section below.

In some circumstances you can withdraw consent you previously provided to us or object to the processing of your personal information, and we will apply your preferences moving forward.

To help protect your privacy and maintain security, we may take steps to verify your identity before granting you access to your information. For example, we may request that you submit your request by logging into your Rainforest account to confirm your identity.

We may also decline your access request, but if we do, we will provide an explanation for our decision. Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information that we or your administrator are permitted by law to retain. If you have unresolved concerns, you may have the right to complain to a data protection authority in the country where you live, where you work, or where you feel your rights were infringed.

Data Transfers and Storage

We use data hosting service providers in the United States to host the information we collect from you, and we use technical measures to secure your information. We may transfer the personal information we obtain about you to other countries, which may have different data protection laws than the country in which you initially provided the information. To the extent required by applicable law, we will take measures to protect the cross-border transfer of your information.

If you are located outside the US, by submitting personal information to us, you understand that this information will be transferred to Rainforest in the US, which may not have equivalent privacy and data protection laws to the country in which you reside. If you do not want your personal information transferred to the US, please do not submit any information to us or use our Services. In the event that we transfer information about EU citizens outside the EEA, we make use of European Commission-approved standard contractual data protection clauses or other appropriate legal mechanisms to safeguard the transfer.

How Long We Retain Information

The period for which we keep your information depends on the type of information, as described in further detail below. We will either delete or anonymize your information or, if this is not immediately feasible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from further use until we can delete your data.

  • Account information – In case you decide to re-activate our Services we retain your account information for 90 days after your account becomes inactive. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services. Where we retain information for the improvement and development of our Services, we take steps to eliminate information that directly identifies you.
  • Managed accounts – If our Services are made available to you through an organization (e.g., your employer), we retain your information for as long as is required by the administrator of your account.  For more information, see the “How We Share Your Information” section above.
  • Marketing information – If you have elected to receive marketing emails from us, we retain information about your marketing preferences for a reasonable period of time from the date you last expressed interest in our Services, such as when you last opened an email from us or ceased using your Rainforest account. We retain information derived from cookies and other tracking technologies for a reasonable period of time from the date the information was created. See our Cookie Notice for additional information.

How We Protect Your Information

We use reasonable and appropriate physical, technical, and administrative safeguards to protect your information from unauthorized use, access, loss, misuse, alteration, or destruction. We also require that third-party service providers acting on our behalf or with whom we share your information also provide appropriate security measures in accordance with industry standards.

Notwithstanding our security safeguards, it is impossible to guarantee absolute security in all situations. If you have any questions about security of our Services, please contact us at privacy@rainforestqa.com.

The Children’s Online Privacy Protection Act (“COPPA”)

Our Services are not directed to children under the age of 13, and we do not knowingly collect information from children under the age of 13.

Third-Party Services, Applications, and Websites

Certain third-party services, websites, or applications you use, or navigate to and from our Services, may have separate user terms and privacy policies that are independent of this Notice. This includes, for example, websites owned and operated by our customers or partners. We are not responsible for the privacy practices of these third-party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third-party service, website, and/or application prior to use.

Changes to This Privacy Notice

We periodically update this Notice to describe new features, products, or services, and how those changes affect our use of your information. If we make material changes to this Notice, we will provide notification through our services and/or notify you directly. We encourage you to review this Notice for updates each time you use our Services.

Our Contact information 

If you have questions about this Notice or our information handling practices, please contact us at privacy@rainforestqa.com.

Appendix A - Your GDPR Rights

Additional provisions applicable to processing personal information of individuals based in the EEA and UK.

Scope and Applicability

This Appendix A (“Appendix”) applies to individuals based in the European Economic Area (“EEA”) or the United Kingdom (“UK”) and outlines your rights and choices regarding the processing of personal information we have about you under the General Data Protection Regulation (“GDPR”). This Appendix controls to the extent it conflicts with any provision in the main body of the Notice. Capitalized terms used in this Appendix are defined in our Notice.

Purposes and Legal Bases for Processing

We process personal information about you for the purposes set out above in “Information We Collect and Receive About You” and “How We Use Your Information.” We collect and process personal information about you only where we have a legal basis for doing so under applicable data protection laws. Our legal bases include processing personal information under:

Your consent - Where appropriate or legally required, we collect and use information about you subject to your consent.

Performance of contract - We collect and use information about you to contract with you or to perform a contract that you have with us.

Legitimate interests - We collect and use information about you for our legitimate interests to improve our Services, deliver content, optimize your experience, and market our Services.

Compliance with laws - We may also collect and use information about you:

  • As required by law, such as to comply with a subpoena or similar legal process;
  • When we believe in good faith that disclosure is necessary to protect our rights or property, protect your health and safety or the health and safety of others, investigate fraud, or respond to a government request; or
  • If we are involved in a merger, acquisition, or sale of all or a portion of its assets.

Transfer of Personal Information to Other Countries

When you use our Services and provide personal information to us, we store this information in the United States (“US”), where Rainforest headquarters and IT systems (including servers) are located.

We also transfer personal information we have about you to third parties as described in the “How We Share Your Information” section above. These third parties may be located outside of the EEA. In circumstances that require us to transfer your information to third parties outside the EEA, we will only transfer such information where we have adequate measures in place to provide appropriate safeguards such as Model Clauses (standard contractual clauses produced by the EU Commission).

Although the data protection laws of various countries may differ from those in your own country, we take appropriate steps to ensure that your personal information is handled as described in this Notice and under the law.

Data Subject Rights

The GDPR grants EU citizens and residents certain rights in connection with the personal information collected, as described below.

Right of Access - You have the right to request access and receive certain information about how we use personal information about you and who we share it with.

Right to Rectification - You have the right to request correction of personal information we hold about you where it is inaccurate or incomplete.

Right to Data Portability - You have the right to request a copy of data we hold about you in a structured, machine readable format, and to ask us to share this information with another entity.

Right to Erasure - You have the right to request deletion of the personal information we hold about you:

  • Where you believe that it is no longer necessary for us to hold your personal information;
  • Where we are processing your personal information based on legitimate interests and you object to such processing and we cannot demonstrate an overriding legitimate ground for the processing;
  • Where you have provided your personal information to us with your consent and you wish to withdraw your consent and there is no other ground under which we can process your personal information; or
  • Where you believe the personal information we hold about you is being unlawfully processed by us.

Right to Restriction of Processing - You have the right to ask us to restrict (stop any active) processing of your personal information:

  • Where you believe the personal information we hold about you is inaccurate and while we verify accuracy;
  • Where we want to erase your personal information as the processing is unlawful, but you want us to continue to store it;
  • Where we no longer need your personal information for our processing, but you require us to retain the data for the establishment, exercise, or defense of legal claims; or
  • Where you have objected to us processing your personal information based on our legitimate interests and we are considering your objection.

Right to Object - You can object to our processing of your personal information based on our legitimate interests. We will no longer process your personal information unless we can demonstrate an overriding legitimate purpose.

Objection to Marketing and Profiling - You have the right to object to our processing of personal information for marketing communications. We will stop processing the data for that purpose. Rainforest does not share personal information with third parties for marketing and does not engage in any automated profiling for its Services outlined in this Notice.

Withdrawal of Consent - Where you have provided your consent for us to process your personal information, you can withdraw your consent at any time by emailing privacy@rainforestqa.com

Please note that before we respond to requests for information, we will require that you verify your identity, or the identity of any data subject for whom you are requesting information.

Exercising your Rights

To exercise these rights above, please contact us as noted in the “Our Contact Information” section in this Appendix. 

We will fulfill your request within 30 days of receiving your request. Please note that the above rights may be limited in the following situations:

  • Where fulfilling your request would adversely affect other individuals or company trade secrets or intellectual property;
  • Where there are overriding public interest reasons; or
  • Where we are required by law to retain your personal information.

Our Contact Information

If you have questions about this Notice, Appendix, or your rights, please contact us at: privacy@rainforestqa.com

Appendix B - Your CCPA Rights

Additional provisions applicable to processing personal information of California residents.

Scope and Applicability

This Appendix B (“Appendix”) applies to California residents and outlines your rights and choices with respect to the processing of personal information we have about you under the California Consumer Privacy Act (“CCPA”). This Appendix controls to the extent it conflicts with any provision in the main body of the Notice. Capitalized terms used in this Appendix are defined in our Notice.

Data Collection and Uses

Please see the “Information We Collect and Receive About You” and “How We Use Your Information” sections in our Privacy Notice to learn more about the personal information we collect and use. We collect the following categories of information as classified under the CCPA:

  • Identifiers including real name, online identifier, email address, and title position in the company;
  • Internet or other electronic network activity information, including device information, browser information, and how you use our product; 
  • Geolocation; and
  • Professional or employment-related information.

Personal information does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.

Consumer Rights

The CCPA grants California consumers certain rights in connection with the personal information collected, as described below.

  • Right to Access – You have the right to request access to the categories and specific pieces of personal information we have collected about you in the previous 12 months.
  • Right to Deletion – You have the right to request that we delete any personal information we have collected about you.
  • Right to Request Information – You have the right to request information about the collection and disclosure of your personal information from the previous 12 months.
  • Right to Opt-out of the Sale of Information – You have the right to opt-out of the sale of personal information we have collected about you. Rainforest does not disclose, or “sell” personal information to third parties as defined by the CCPA.
  • Right to Non-Discrimination – You have the right to not receive discriminatory treatment for exercising any of your CCPA rights. Rainforest will not treat you differently for exercising any of the rights described above.

Sharing Personal Information About You

Rainforest does not sell any personal information to third parties. We share the following categories of information as classified under the CCPA with service providers such as suppliers, vendors, business partners, and consultants in order to operate our business and provide you with our Services:

  • Identifiers including real name, online identifier, email address, and business title within company; and
  • Professional or employment-related information.

Please see the “How We Share Your Information” section in our Notice for additional details on how we disclose your personal information with selected recipients for specific purposes.

Exercising your Rights

If you wish to exercise any of the above rights, contact us at privacy@rainforestqa.com or review the “Our Contact Information” section in this Appendix. You may also authorize an individual to submit a verifiable consumer request relating to your personal information.

We will verify your request using the information associated with your account, including email address. Government identification may be required. We cannot respond to your request if we cannot verify your identity and/or authority to make the request on behalf of another and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us.

If you wish to use an authorized agent to submit a request to opt-out on your behalf, you must provide the authorized agent written permission signed by you, the consumer. We may deny a request from an authorized agent if the agent cannot provide to Rainforest your signed permission demonstrating that they have been authorized to act on your behalf.

We will fulfill your request within 45 days of receiving your request. Please note that your request may be limited in certain cases, for example if complying with your request would conflict with:

  • Federal, state or local law;
  • Regulatory inquiries;
  • Subpoenas; or
  • Exercising or defending legal claims.

Our Contact Information

If you have questions about this Notice, Appendix, or your rights, please contact us at privacy@rainforestqa.com.

Rainforest recognizes the importance of security researchers in helping keep our customers safe. We encourage responsible disclosure of security vulnerabilities as described on this page.

Responsible disclosure includes:

  • Providing us a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Making a good faith effort to not leak or destroy any Rainforest user data.
  • Not defrauding Rainforest users or Rainforest itself in the process of discovery.
  • In order to encourage responsible disclosure, we promise not to bring legal action against researchers who point out a problem provided they do their best to follow the above guidelines.

Rewards

Attribution on our Hall of Fame hosted in this page.
Monetary compensation is not currently offered under this program.

Eligibility

Rainforest reserves the right to decide if the minimum severity threshold has been met and whether it was previously reported.
In general, anything which has the potential for financial loss or data breach is of sufficient severity, including:

  • XSS
  • CSRF
  • Authentication bypass or privilege escalation
  • Click jacking (except on www.rainforestqa.com)
  • Remote code execution
  • Obtaining user information

In general, the following would not meet the threshold for severity:

  • Vulnerabilities on sites hosted by third parties (blog.rainforest.com, analytics, info.rainforestqa.com, status.rainforestqa.com, etc) unless they lead to a vulnerability on the main website
  • Denial of Service and brute-force attacks
  • Non-ideal but non-exploitable configuration issues
  • Spamming or phishing
  • Vulnerabilities in third party applications, such as Stripe or Heroku
  • Vulnerabilities in third party applications which make use of the Rainforest API
  • Clickjacking on the marketing website (www.rainforestqa.com)
  • CORS on www.rainforestqa.com
  • Intercom session persisting after logging out of Rainforest

For example, “Your servers are vulnerable to Heartbleed” (with reasonable proof) will absolutely get you listed here, but “Your servers don’t get an A+ rating on SSL Labs” will definitely not. Don’t expect a response for any reported issues that don’t fit with the guidelines.

How To Disclose

Disclose a vulnerability via email

Please include if possible:

  • Description and potential impact
  • Steps to reproduce the issue or a proof of concept
  • Name and link for attribution on this page
  • Thank you for helping keep our community safe!

Hall of Fame

2023

2022

2021

2020

2019

2018

2017

2016

2015