Do they own your data? Maze Privacy Policy Reviewed.
Maze scores 7/10 in our Enterprise Readiness assessment - partially ready for enterprise deployment. While strong in user research capabilities, gaps remain in advanced security and compliance features that large organizations require.
Final Enterprise Readiness Rating: 7/10
✅ Partially ready (Reviewed 2026).
|
Area |
Verdict |
Notes |
|---|---|---|
|
Data Residency & Storage |
⚠️ Partial |
Mentions international transfers but no guaranteed residency controls or enterprise deployment options |
|
AI Model Use |
❌ High Risk |
No mention of AI/ML usage, model training, or data processing for AI purposes in the policy |
|
Data Minimization |
⚠️ Partial |
Collects comprehensive data including screen recordings and automatic behavioral data with limited minimization controls |
|
Privacy Controls |
✅ Good |
Provides individual rights and marketing opt-out but lacks clear enterprise admin controls |
|
Compliance & Auditability |
⚠️ Partial |
GDPR compliant and EU-US Data Privacy Framework certified but no mention of SOC 2, ISO 27001, or HIPAA |
|
Consent Handling |
✅ Good |
Clear delineation of customer responsibility for participant consent but limited built-in consent automation |
|
Model Explainability |
❌ High Risk |
Complete absence of AI processing transparency or explainability features |
|
Data Retention & Deletion |
⚠️ Partial |
General retention statement without specific timelines or enterprise configuration options |
|
Third-Party Sharing |
⚠️ Partial |
Shares with numerous third parties including marketing and analytics providers with limited enterprise controls |
⚠️ Recommendation for Enterprises:
Adopt Maze with caution. Be especially careful if you handle:
- Health records or HIPAA-covered data
- Financial data requiring SOC 2 compliance
- Legal client communications
- Trade secrets requiring air-gapped environments
Instead, consider AI tools that:
- Achieve SOC 2 Type II certification
- Provide guaranteed data residency controls
- Offer enterprise deployment options (VPC/on-premise)
- Implement comprehensive AI governance policies
- Add configurable retention and third-party sharing controls
Better Alternative:
✅ BuildBetter.ai — GDPR, SOC 2 Type 2, and HIPAA compliant
✅ Zero training on customer data
✅ You own your data. Fully opt-in privacy model.
🔍 Maze Privacy Policy – Enterprise Risk Assessment
Audience: Security-conscious enterprise organizations evaluating User testing and product research platform for internal use in highly sensitive or regulated environments (e.g. legal, healthcare, finance, tech/IP-heavy orgs).
⚠️ Where Maze Falls Short – Critical Gaps
🔒 1. Data Residency & Storage
Quote: "Many of our service providers are based outside the United Kingdom or the European Economic Area, so their processing of your personal information will involve a transfer of data to countries based outside of that territory."
Risk: Enterprises in regulated industries need guaranteed data residency and control. Cross-border transfers without explicit enterprise controls create compliance risks for healthcare, finance, and legal sectors.
Enterprise Issue:
- No guaranteed data residency options
- No mention of VPC or on-premise deployment
- Service providers globally distributed without enterprise controls
Verdict: ⚠️ Risky for regulated industries
🧠 2. AI Model Use
Risk: Modern user testing platforms likely use AI for insights and analytics. The complete absence of AI governance policies means enterprises have no visibility into how their data might be used for model training or AI processing.
Enterprise Issue:
- No AI/ML usage disclosure
- No opt-out from model training
- No bring-your-own-model options
Verdict: ❌ Complete blindspot for enterprise AI governance
📊 3. Data Minimization
Quote: "We may link or combine the Customer Data we collect directly from you and other personal data we collect about you using publicly-accessible sources such as ZoomInfo, Clearbit or LinkedIn."
Risk: The platform collects extensive behavioral data and enriches it with third-party sources. For enterprises handling sensitive data, this broad collection approach creates unnecessary exposure without granular controls.
Enterprise Issue:
- Automatic data enrichment from third parties
- Screen recordings with participant data
- Limited data minimization options mentioned
Verdict: ⚠️ Extensive collection with limited enterprise controls
⚙️ 4. Privacy Controls
Quote: "You can also change your marketing preference at a later date by following the instructions outlined below: Click on the unsubscribe link at the bottom of our marketing emails."
Risk: While individual privacy controls exist, enterprises need workspace-level admin controls to manage privacy settings at scale. The policy doesn't clearly address enterprise admin capabilities.
Enterprise Issue:
- No clear workspace-level privacy controls
- Individual-focused rather than enterprise admin controls
- Limited mention of bulk privacy management
Verdict: ✅ Solid individual controls but unclear workspace-level admin features
📦 5. Compliance & Auditability
Quote: "MAZE.DESIGN INC. complies with (i) the EU-U.S. Data Privacy Framework (EU-U.S. DPF), and (ii) the UK Extension to the EU-U.S. DPF"
Risk: While privacy framework compliance is good, enterprises need SOC 2 Type II for security assurance and industry-specific certifications. The absence of these certifications limits adoption in regulated sectors.
Enterprise Issue:
- No SOC 2 Type II certification mentioned
- No ISO 27001 or industry-specific compliance
- Limited audit trail capabilities described
Verdict: ⚠️ Strong GDPR foundation but missing key enterprise certifications
📬 6. Consent Handling
Quote: "Customer is responsible for obtaining the necessary consents from and disclosing to Participants the information that Customer will collect."
Risk: While the policy correctly places consent responsibility on the customer, enterprises need built-in consent management tools to ensure compliance at scale, especially for user research activities.
Enterprise Issue:
- Limited built-in consent automation
- Heavy reliance on customer consent management
- No mention of consent audit trails
Verdict: ✅ Places responsibility appropriately but lacks automation
🔍 7. Model Explainability
Risk: For enterprises using AI-powered insights, the lack of explainability features creates risk around biased or incorrect analysis. Regulated industries need to understand how AI systems process their data.
Enterprise Issue:
- No AI processing transparency
- No explainability features mentioned
- No logs or observability for AI operations
Verdict: ❌ No AI transparency or explainability mentioned
🧼 8. Data Retention & Deletion
Quote: "We will store Customer Data n we collect about you for no longer than necessary for the purposes set out in Annex 1 and Annex 2 and in accordance with our legal obligations and legitimate business interests."
Risk: The vague retention policy creates uncertainty for enterprises with specific data lifecycle requirements. Regulated industries need configurable retention periods and automated deletion capabilities.
Enterprise Issue:
- No specific retention timelines
- No configurable retention policies
- Unclear post-termination data handling
Verdict: ⚠️ Vague retention with no configurable enterprise policies
🤝 9. Third-Party Sharing
Quote: "Third-parties: Google Tag Manager, Facebook, Twitter, LinkedIn, HighTouch, Segment, Amplitude, Google Analytics, Hotjar, RescueMetrics"
Risk: The extensive third-party sharing, particularly with marketing platforms, creates data exposure risks for enterprises. The policy lacks mechanisms for enterprises to limit or control third-party sharing.
Enterprise Issue:
- Extensive marketing third-party integrations
- Limited enterprise control over third-party sharing
- No data selling prohibition for all third parties
Verdict: ⚠️ Extensive third-party ecosystem creates enterprise risk
✅ What Maze Does Right (Credit Where It's Due)
- Strong GDPR compliance and EU-US Data Privacy Framework certification
- Clear distinction between customer and participant data roles
- Comprehensive individual privacy rights implementation
- Explicit prohibition on selling personal information
- Professional incident response and breach notification procedures
Disclaimer: This evaluation is based solely on publicly available information and documentation. For formal enterprise vetting, always request a vendor's latest DPA, security whitepaper, and third-party audit reports.