Privacy Policy

Last updated on March 17, 2026. Document History

This Privacy Policy describes how Balsamiq Studios, LLC and its affiliates ("Balsamiq," "we," "us," or "our") collect, use, disclose, and protect your personal information when you use our Services (as defined in our Terms of Service) and Licensed Products (as defined in our EULA).

This Privacy Policy applies to all Balsamiq websites, products, services, and any point of contact you have with Balsamiq. It is a companion document to our Terms of Service, End User License Agreement (EULA), and Data Processing Agreement (DPA), incorporating those agreements by reference. Capitalized terms not defined here have the meanings given in those documents.

We've written this in plain language because we believe you deserve to understand how your data is handled.

By accessing or using our Services or Licensed Products, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services or Licensed Products.

1. Who we are

Balsamiq is a small multi-national organization, based in Italy and the USA. Our corporate group consists of:

  • GJMG Holdings S.r.l. (Italy) — our parent holding company, which owns the Balsamiq trademark, name, and logo.
  • Balsamiq S.r.l. (Italy) — our research and software development entity, based in Bologna, Italy.
  • Balsamiq Studios, LLC (USA) — our sales, marketing, and distribution entity, based in Sacramento, California.

Balsamiq Studios, LLC (USA) and Balsamiq S.r.l. (Italy), together "Balsamiq," "we," "us," or "our," are responsible for your personal data under this Privacy Policy. Staff of both Balsamiq entities collaborate together to keep your data safe and secure. We never sell, rent, or trade your Personal Data.

1.1 Joint controller arrangement

In accordance with GDPR Article 26, the essence of our joint controller arrangement is:

  • Both Balsamiq entities collaborate in joint processing activities as defined in this policy.
  • We have established a single contact point for data subjects, as per this Privacy Policy.
  • Data subject requests are handled by both companies.
  • Our main EU establishment is located in Italy.
  • Balsamiq companies share data for internal administrative purposes.
  • Each Balsamiq entity may conclude agreements with processors also on behalf of the other Balsamiq entity.

1.2 Our role under data protection law

  • For Account Data (like your name, email, billing details): Balsamiq Studios, LLC and Balsamiq S.r.l. act as joint controllers. LLC manages sales, billing, and customer support; Srl manages product operations, analytics, and engineering.
  • For Customer Data (like your wireframes, prototypes, AI inputs and outputs): you are the data controller. Balsamiq acts as a data processor on your behalf, processing Customer Data only to provide the Services and Licensed Products.
  • For Correspondence (like support requests, emails, and feedback): Balsamiq Studios, LLC and Balsamiq S.r.l. act as joint controllers.
  • For Derived Data (anonymized metadata): Balsamiq is the data controller.

2. Data we collect

We only collect the minimum amount of information necessary to fulfill the purpose of your interaction with us.

In this Privacy Policy, "Personal Data" means any data that identifies or could reasonably be used to identify you as an individual. This includes Account Data, Customer Data (to the extent it contains personal data), and Correspondence.

Derived Data is not Personal Data — it is anonymized and aggregated and cannot identify you.

Below is a complete description of each data category.

2.1 Information from website visitors

Like most websites, Balsamiq automatically collects certain information when you visit our websites, even if you do not have an account with us. This includes:

  • Technical details about your device, like your IP address
  • Details about your visit, including the referral URL, pages viewed, and interactions

This data may be collected via cookies and related technologies (see Section 6).

For logged-in customers, we may additionally collect session-level usage data as described in the Usage Data definition under Section 2.2.

2.2 Account Data

Account Data is information we collect to run your account and provide the Services and Licensed Products. It includes:

  • Contact details: like your name and email address.
  • Billing information: like your payment method, billing contact details, and subscription history. We do not store your credit card information — all payment processing is handled by Stripe (for Balsamiq Cloud) or Atlassian Marketplace (for Atlassian integrations). See Section 5.
  • Usage Data: like technical logs, session data, browser and device information, and information about how you interact with our products, services, and websites.
  • Authentication credentials: we store passwords using industry-standard cryptographic hashing and authentication providers. We never store passwords in plain text.

If you upload a photo for your user avatar, we store that as Account Data.

2.3 Customer Data

Customer Data means all wireframes, mockups, prototypes, designs, comments, and other content you create, upload, or store in the Services. This includes AI inputs (like prompts) and AI outputs (like generated wireframes). You own your Customer Data.

When you use the Comments feature, your user ID, email address, and name are stored inside the project data.

We process Customer Data solely to provide the Services to you. We do not use Customer Data to train AI models.

2.4 Correspondence

Correspondence means support requests (chat or email) and any feedback, suggestions, or ideas you share with us.

2.5 Derived Data

Derived Data means anonymized, aggregated metadata generated by our systems from your use of AI features, including usage patterns, performance metrics, and model interaction logs. Derived Data does not include the content of your prompts or outputs, and cannot be used to identify you or reconstruct your Customer Data.

2.6 Information from Licensed Products

Our Licensed Products (Balsamiq for Desktop, Balsamiq for Confluence Data Center, and Balsamiq for Jira Data Center) do not collect or transmit data unless you take a specific action that requires online access, such as accessing product documentation or registering a license.

The only Personal Data we collect from Licensed Products is:

  • Purchase and license information as described in Section 2.2.
  • Correspondence if you choose to contact us via support or feedback forms (see Section 2.4).

Balsamiq for Desktop stores project data locally on your device. We do not have access to it. For Balsamiq for Confluence Data Center and Balsamiq for Jira Data Center, your project data is stored within your organization's Atlassian instance.

Please note: Balsamiq for Desktop is scheduled to reach End-of-Life by December 31, 2027. See details in our EULA.

2.7 In-person visits

When visiting our offices or attending a Balsamiq-sponsored in-person event, you might get photographed or recorded. We may use your image for security and marketing purposes. You can opt out of marketing use at any time by writing to us at support@balsamiq.com.

We use your data for the specific purposes described below. For each purpose, we identify the legal basis under GDPR.

3.1 Providing and operating the Services

We use Account Data and process Customer Data to provide you access to the Services, display your content, and enable collaboration features, on your instructions.

Payment processing, email delivery, analytics, and other operational functions are handled by our subprocessors (see Section 5).

Legal basis: Performance of a contract.

3.2 Customer support

We use Account Data, Correspondence, and where necessary, Customer Data to respond to your support requests, investigate reported issues, and proactively contact you if we detect a problem with your account.

Legal basis: Performance of a contract; legitimate interest in providing effective support.

3.3 AI features

When you choose to use our optional AI features, we send your AI inputs (prompts and, where applicable, project content) to third-party AI providers for processing. Both inputs and outputs are your Customer Data.

We may also collect Derived Data from your AI usage for quality evaluation and to improve the AI features.

Authorized Balsamiq staff may review AI inputs and outputs for safety and quality evaluation. This access is restricted to select staff.

Legal basis: Performance of a contract (for processing your AI requests); legitimate interest (for quality and safety evaluation and Derived Data).

3.4 Analytics and product improvement

We use Usage Data collected through third-party analytics tools to understand how our Services are used, identify issues, and improve our products. Session recordings may incidentally capture visual content from your projects; we mask sensitive inputs and restrict access to select employees.

Legal basis: Legitimate interest in improving our Services for you.

3.5 Communications

We use your contact details to send you:

  • Transactional emails — account confirmations, password resets, billing notifications, service updates. You cannot opt out of these.
  • Product emails — tips, feature announcements, beta program invitations, and user research requests. You can unsubscribe at any time using the link in the email or by reaching out to us at support@balsamiq.com.
  • Marketing emails — newsletters and promotional content. You can unsubscribe at any time using the link in the email or by reaching out to us at support@balsamiq.com.

We always ask for your consent when required by applicable law.

Legal basis: Performance of a contract (transactional); legitimate interest (product emails); consent (marketing, where required by law).

3.6 Security and fraud prevention

We use Account Data, Usage Data, and IP addresses to protect against unauthorized access, detect and prevent fraud, enforce our legal agreements, and comply with applicable laws.

Legal basis: Legitimate interest in protecting our Services and users; legal obligation.

We may process your Personal Data to comply with applicable laws, regulations, legal processes, or governmental requests, and to enforce our legal agreements, exercise or defend legal claims, or protect our rights and the rights of our users.

Legal basis: Legal obligation; legitimate interest.

3.8 User research

We conduct user research studies and early access programs to improve our products, websites, and services. Participation is voluntary and consent-based. Data collected during research is confidential and restricted to authorized staff. You can withdraw your consent and request deletion of your research data at any time.

Legal basis: Consent; legitimate interest.

3.9 Marketing and advertising

We use advertising platforms to promote our Services. This may include conversion tracking and retargeting based on your visits to our websites. See our subprocessor list for the third-party providers we use (Section 5).

Legal basis: Consent (where required by cookie consent laws); legitimate interest.

4. AI features and your data

Because AI raises specific privacy questions, this section provides additional detail beyond what is covered in Section 3.3.

4.1 How our AI features work

Balsamiq offers optional AI features as part of our Services (such as design suggestions, content generation, and content editing). We use Google's Gemini models to power our AI features, as listed on our subprocessor list.

You initiate every AI request. We never send your data to AI providers without your action. When you initiate a request, we send only what is needed for that specific feature. This may include but is not limited to text prompts, screenshots, sketches, or other project content and metadata.

We also retain AI inputs and outputs on our own servers as Customer Data, for support, safety monitoring, and quality improvement purposes.

4.2 How our AI providers use your data

Our AI providers' use of your data is governed by their own terms and commitments, which we evaluate before selecting providers. Our current AI providers have committed not to use your Customer Data to train their models. Providers may retain data briefly for safety or applicable legal purposes only.

4.3 How we use your data from AI features

AI inputs and outputs are considered Customer Data and follow the same retention schedule as all Customer Data. See Section 9.1 for data retention schedules.

4.4 Automated decision-making

Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our AI features do not make such decisions — they are creative assistance tools. You initiate every request, review every output, and decide whether to use it.

4.5 Opting out

AI features are opt-in per interaction. If you do not want your data sent to AI providers, do not use Balsamiq AI features.

5. How we share your data

We do not sell, rent, or trade your personal data. We share your data only in the following circumstances:

5.1 Subprocessors

We use third-party service providers ("subprocessors") to help us operate the Services. These providers process data on our behalf, under our instructions, and subject to contractual obligations that require them to protect your data.

These obligations include the requirement to provide at least the same level of privacy protection as defined under the DPF Principles (see details below). We remain liable if they process your data in a manner inconsistent with those Principles, unless we can demonstrate we are not responsible for the event giving rise to the damage.

Our current subprocessor list, including the purpose and location of each provider, is maintained at balsamiq.com/legal/subprocessors/. Notice of changes to this list is described in our DPA.

5.2 Atlassian integrations

If you use Balsamiq for Confluence or Balsamiq for Jira (Cloud or Data Center products), your Personal Data is also subject to Atlassian's terms and privacy policies.

We store a temporary copy of your projects on our servers to provide functionality such as autosave and real-time collaboration. This data is regularly sent back to the Atlassian platform for official storage. We retain our temporary copy for up to 30 days. If there are errors sending it to the platform, we might keep the data for longer, as a backup.

5.3 Other integrations

If you use Balsamiq integrations such as the Balsamiq Trello Power-Up, Balsamiq Slack integration, or Balsamiq MCP server, your data may be shared with those third-party platforms to provide the integration functionality. Your use of these platforms is subject to their own terms and privacy policies.

5.4 Payment processors

All payments for Balsamiq Cloud are processed by Stripe. All payments for Atlassian integrations are processed through Atlassian Marketplace or its third-party providers.

We never have access to your full credit card information.

We may disclose your data if required by law, regulation, legal process, or governmental request. We may also disclose data to enforce our legal agreements, protect our rights or safety, or protect the rights or safety of others. Where permitted, we will attempt to notify you of such requests.

5.6 Business transfers

If Balsamiq is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your data.

We may share your data with third parties when you have given us explicit consent to do so.

6. Cookies and tracking technologies

6.1 Essential cookies

Some Services (like Balsamiq Cloud) use cookies to identify whether you have logged in, which is necessary for functionality. Therefore, your browser must be enabled to accept cookies from our Service's domain.

This website uses cookies.

We use cookies to personalise content, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Cookies are small text files that can be used by websites to make a user's experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

You can at any time change or withdraw your consent from the Cookie Declaration on our website.

Learn more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Please state your consent ID and date when you contact us regarding your consent.

Your consent applies to the following domains: balsamiq.com

Cookie declaration last updated on 3/9/26 by Cookiebot:

6.3 Analytics

We use third-party providers like PostHog and Google Analytics to understand how our websites and web-based Services are used. These tools may use session recordings that capture visual interactions with the product. We configure these tools to minimize data collection and mask sensitive content where possible.

6.4 Marketing

We may use tracking pixels and cookies from advertising platforms to measure ad effectiveness and show you relevant ads on third-party platforms based on your visits to our websites. These cookies are only set with your consent where required by law.

6.5 Your choices

You can manage your cookie preferences, including advertising cookies, through the cookie consent banner on our website. If you configure your browser to refuse cookies, some features of the Services may not function properly.

7. Data storage

7.1 Where your data is stored

Your Personal Data is stored on industry-standard third-party services, like AWS. Data may be processed in the US, EU, or other locations depending on third-party provider terms, the product you use, and your Balsamiq plan.

  • Balsamiq Cloud customers on an Enterprise Plan may choose their data residency region (US or EU).
  • For Balsamiq for Confluence and Balsamiq for Jira, data residency follows your Atlassian settings.
  • Balsamiq for Desktop data is stored on your own machine. We do not have access to it.

See our subprocessor list for more details on third-party providers.

7.2 Data transfer mechanisms

When your personal data is transferred outside of the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following safeguards:

  • EU-U.S. Data Privacy Framework (DPF): Balsamiq adheres to the EU-U.S. DPF Principles, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. See details below.
  • EU Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use the European Commission's Standard Contractual Clauses. See our SCCs for details.
  • Data Processing Agreement (DPA): Our DPA, available at balsamiq.com/legal/dpa/, governs the processing of Customer Data and incorporates appropriate transfer safeguards.

8. EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF

Balsamiq Studios, LLC* complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Balsamiq Studios, LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Balsamiq Studios, LLC, has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit the link here.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Balsamiq Studios, LLC, commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner's Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data, including both employment and non-employment related data, received in reliance on these frameworks.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Balsamiq Studios, LLC, commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Balsamiq Studios, LLC at: privacy@balsamiq.com.

In certain situations, Balsamiq Studios, LLC may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We remain liable for all the personal information we receive under the DPF and that we subsequently transfer to third parties acting as agents on our behalf if they process personal information in a manner inconsistent with the DPF principles, unless we prove we are not responsible for the event giving rise to the damage. With respect to personal data received or transferred pursuant to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Balsamiq Studios, LLC is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission (FTC). Under certain conditions, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF provides the right to invoke binding arbitration when other dispute resolution procedures have not provided resolution. This is described in Annex I to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Data Privacy Framework.

Note: Only US-based entities are eligible to self-certify under the EU-U.S. Data Privacy Framework. Balsamiq S.r.l., as an EU-based entity, does not need to self-certify to transfer data within the EU.

9. Data retention

9.1 Data retention schedule

We retain your data only as long as we have a valid business or legal reason to do so.

Data type Purpose
Customer Data (including AI inputs and outputs) Retained during active subscription. Deleted within 60 days after Space closure. Available for export for 30 days after a Space is closed.
Account Data Retained during your relationship with Balsamiq. Deleted within 60 days after contract termination, except where required by law (such as billing and financial records).
Usage Data (technical logs, analytics, security event data) Retained for up to 90 days. Some analytics data may be anonymized and retained longer in aggregated form, when it cannot identify individuals.
Derived Data Retained indefinitely as anonymized and aggregated data. Derived Data cannot identify individuals.
Marketing data Until contract expires plus 90 days, or until you unsubscribe or withdraw consent when applicable, whichever is sooner.
Correspondence (support data, feedback) Retained to ensure continuity of support. You can request deletion at any time.
User research data Retained to improve our products. You can request deletion at any time.

9.2 Space and account data deletion

Your user account and associated Account Data remain intact after a Space closes. You can continue to use your account to access other Spaces or create new ones. If you want to delete your user account entirely, you can do so in your account settings.

10. Your privacy & data rights

10.1 Global data rights

Regardless of your location, Balsamiq provides the same high standard of privacy rights to all users:

  • Right to know & access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can update or correct your account information at any time.
  • Right to erasure ("right to be forgotten"): You can request that we delete your personal data. Requests for data deletion will follow our retention schedules.
  • Right to portability: You can export your Customer Data (wireframes/projects) through the product interface.
  • Right to object & restrict: You can opt-out of "legitimate interest" processing, and request we limit how we process your data.
  • Right to withdraw consent: Where we process your data based on consent, you may withdraw it at any time.
  • Right to non-discrimination: We will never penalize you for exercising your privacy rights.

Additional privacy laws may apply based on your location. You can exercise all of these rights by contacting us at support@balsamiq.com. We will respond within 30 days.

10.2 Rights under GDPR (EEA, UK, Switzerland)

In addition to the above data rights, you have the right to lodge a complaint with your local data protection authority.

Where Balsamiq acts as a data processor for your Customer Data, we will refer data subject requests to the relevant data controller (Space Owner) and assist them in fulfilling those requests, unless we are legally required to respond directly.

10.3 Rights under CCPA / CPRA (California)

We do not collect sensitive personal information as defined by the CPRA.

To exercise your California rights, contact us at support@balsamiq.com.

11. Data security

11.1 Security measures

We implement and maintain technical, physical, and administrative security measures designed to protect your data from unauthorized access, use, or disclosure. These include but are not limited to:

  • Encryption in transit and at rest
  • Logical data isolation
  • Strict access controls (SSO/MFA internally, least privilege)
  • Regular vulnerability scanning, testing, and independent audits
  • Documented incident response and communication procedures
  • Participation in a security bug bounty program
  • SOC 2 Type II compliance

All payments are processed by PCI-DSS compliant processors. Balsamiq does not store your payment card information.

See our security policies and reports in the Balsamiq Trust Center.

11.2 Breach notification

If we become aware of a data breach affecting your Personal Data, we will notify you (and the appropriate supervisory authorities) without undue delay and in accordance with applicable law.

11.3 Who can see my Customer Data?

Only the people you choose to share with can see your Customer Data, as described in our product documentation. Space Owners can also see Customer Data in their Space, including wireframes, prototypes, comments, and usage information as available through the product.

Balsamiq employees may access your Customer Data only:

  • In response to a customer support request
  • To debug and fix an issue
  • To analyze and improve our product
  • For AI safety and quality evaluation (restricted to select staff)

We never make changes to your content unless explicitly requested by a Space Owner. We never share what we see with other customers or the general public, unless you give us explicit permission.

We may provide access to government authorities if required by law. We will inform your Space Owner(s) to the extent we are legally permitted to do so.

12. Sensitive data

Our Services are not designed, certified, or intended to store or process sensitive personal data, including protected health information (HIPAA), financial account numbers, government-issued identifiers, or biometric data. Do not upload or store such data in the Services.

If you are designing interfaces that display or handle such data, use placeholder or anonymized content only.

13. Children's privacy

You must be at least 16 years old to use Balsamiq. We do not knowingly collect personal data from anyone under 16. If we learn that a user is under 16, we will close their account and delete their data. If you become aware that a child has provided us with personal information, please contact us at support@balsamiq.com.

14. Changes to this Privacy Policy

We may update this Privacy Policy at any time by posting the revised version and updating the "Last updated" date. For material changes, we may provide additional notification through email, in-product notifications, or a banner on our website. You are encouraged to periodically review our legal agreements.

By continuing to use the Services after any update, you accept the revised Privacy Policy. If you do not agree, you should stop using the Services.

15. Contact us

If you have questions about this Privacy Policy, want to exercise your data rights, or have a complaint, please contact us:

Email: support@balsamiq.com

Balsamiq Studios, LLC 901 H St Ste 120 #41 Sacramento, CA 95814 USA

Balsamiq S.r.l. Via Romita 2/5 40128 Bologna (BO) Italy

For DPF-related inquiries or complaints, contact us at privacy@balsamiq.com. If we are unable to resolve your concern, you may contact the EU DPA panel, the UK ICO, or the Swiss FDPIC, as applicable.

Document History

  • 17 March 2026: Full rewrite. Updated corporate structure, adopted controller/processor framework for Customer Data, introduced Personal Data and Derived Data definitions, added GDPR legal basis for all processing activities, separated subprocessor list, expanded AI data handling, added CCPA/CPRA rights, added cookie and tracking disclosure, added comprehensive data retention schedule, clarified international transfer mechanisms.
  • 18 Dec 2025: Removed Airtable and Lookback as Third-Party Vendors, and added Condens.
  • 30 Sep 2025: Added Balsamiq AI features section and updated Google vendor entry to include their Gemini model.
  • 11 Sep 2025: Updated wireframe access guidelines, simplified billing section for Stripe migration, and clarified PostHog session recording capabilities.
  • 27 Jun 2025: Added Customer.io and removed Klaviyo as a Third-Party Vendor.
  • 5 Jun 2025: Added clarifications related to Balsamiq for Desktop End-of-Life and continued local data storage.
  • 24 May 2025: Removed WPEngine, no longer used.
  • 6 May 2025: Added the "Your Choices" section to give more clarity related to DPF.
  • 17 February 2025: Added PostHog for web and product analytics, removed Avalara and ProfitWell.
  • 29 January 2025: Clarified the difference between important emails and promotional emails.
  • 17 December 2024: Removed Balsamiq for Google Drive after shutdown.
  • 18 October 2024: Added TinyURL as Third-Party Vendors.
  • 12 October 2024: Added "demographic information (during sign up)" to the data we collect.
  • 2 August 2024: Removed Pivotal Tracker, no longer used.
  • 3 June 2024: Removed mentions of our licensing server because we migrated away from it to Stripe.
  • 11 January 2024: Removed Mailchimp, no longer used.
  • 8 December 2023: Removed WireframesToGo.com, which is now integrated in the app.
  • 24 October 2023: Added EU-U.S. Data Privacy Framework information".
  • 30 August 2023: Updated deleted data retention period from "up to 60 days" to "up to 90 days".
  • 31 July 2023: Added Pivotal Tracker as a Third-Party Vendor.
  • 19 May 2023: Added Klaviyo and ProfitWell as Third-Party Vendors.
  • 5 Jan 2023: Added a note about us potentially emailing customers with relevant product information, and merged the Newsletter section into the "Online Forms" section.
  • 31 Aug 2022: Added Airtable and Lookback as Third-Party Vendors.
  • 8 Apr 2022: Added some wording about visiting our offices.
  • 21 Feb 2022: Removed Zoom Third-Party Vendor.
  • 4 Oct 2021: Added information about our in-app contact forms.
  • 19 Apr 2021: Added Zoom and UsabilityHub as Third-Party Vendors. Added information to further clarify the relationship between Balsamiq SRL and Balsamiq Studios, LLC as joint controllers.
  • 3 Feb 2021: Added Trello Power-Up.
  • 15 Dec 2020: Removed Sendgrid and YouCanBook.Me as Third-Party Vendors.
  • 9 Dec 2020: Removed myBalsamiq following its shutdown and removed PubNub as a Third-Party Vendor.
  • 12 Nov 2020: Updated Online Forms section to be more general, added note on Privacy Shield Notice to indicate our awareness of the recent ruling, and updated Third-Party Vendors list.
  • 2 Apr 2020: Added "Personal Data Stored Inside Projects" section, and mention of crash reports.
  • 21 Feb 2020: Added "User Research" section, clarified "Other Personal Data", and specified how we treat artifacts you send us that contain Personal Data.
  • 17 Jan 2020: Several updates to improve readability, clarify where wireframes are stored, how to invoke your rights, third-party vendors updates, and to clarify when Licensed Products may "call home".
  • 2 May 2019: Added note to comply with section 8.4(d) of the Atlassian Vendor Agreement, added more details to highlight the differences between our Online Services, and how they manage data.
  • 7 Nov 2018: Updated with Privacy Shield information.
  • 2 Aug 2018: Updated deleted data retention period from "7 days" to "up to 60 days".
  • 31 May 2018: Added Wireframestogo.com and UXApprentice.com, improved Children's Privacy section, added proactive support info, and fixed some typos.
  • 25 May 2018: major update to unify our separate privacy policies into one, and to add more detail as required by GDPR.
  • 2008_03_15_balsamiq_privacy_policy.pdf - published March 15, 2008.

Our monthly emails will make you better at your job

Get our inside stories on product design, making things people love, and running a business built to last. Delivered once a month to your inbox.