Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Qualtrics is an experience management platform that distributes surveys, intercepts and feedback forms through hosted JavaScript and iframes.
Qualtrics is the leading experience management (XM) platform, used to run customer surveys, employee engagement studies, product feedback, market research and brand tracking. The platform is delivered as SaaS from Qualtrics LLC in Provo, Utah, with optional EU data centers in Ireland and the Netherlands. Surveys are typically distributed by email, by hosted link or by an embedded JavaScript intercept on the publisher website.
The Qualtrics Site Intercept and Embedded Feedback scripts set cookies such as QSI_HistorySession (visit history), QSI_S_<survey id> (eligibility for a given intercept) and Q_RequestID. The hosted survey collects IP address, user agent, language, time on page and any answer the user provides, including open text fields and sensitive demographics if you choose to ask them. When embedded behind a login, Qualtrics receives the embedded data and contact list fields you pass to it.
The Site Intercept script writes cookies on the visitor device and Article 5(3) of the ePrivacy Directive applies. The survey responses are personal data under the GDPR. When Qualtrics is used for employee experience, employees may not be able to give freely given consent and a different legal basis (legitimate interest, legal obligation) must be documented along with employee information.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For public website intercepts, consent is required before the Qualtrics script loads. Sensitive surveys (health, beliefs, ethnic origin) require explicit Art. 9 GDPR consent. For employee feedback, document a legitimate interest analysis or an obligation grounded in the works council agreement. Always offer a way to skip the survey without negative consequences.
Qualtrics offers EU data centers (qualtrics.eu) in Ireland and the Netherlands. Choosing those keeps survey content in the EU at rest, but Qualtrics LLC is US headquartered and support teams may access the data from the US. Cover the transfer with the EU US Data Privacy Framework and Standard Contractual Clauses, and include the Qualtrics data processing addendum in your contract.
Block the Site Intercept until consent is given. Use the EU brand center URL (eu.qualtrics.com or fra1.qualtrics.com). Disable IP collection if not strictly needed; set short retention windows on responses; pseudonymise contact list IDs; restrict the dashboards to need to know audiences. For employee experience, agree on the survey content with employee representatives and provide an anonymised aggregate to managers.
Websites using Qualtrics must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Qualtrics collects employee feedback (employee experience), patient or student data, sensitive opinions, when intercepts are used for profiling, or when responses are enriched with CRM data and used for automated decisions.
Sample consent text
We use Qualtrics to invite you to surveys and feedback intercepts. Qualtrics writes cookies on your device, may receive your IP address and survey responses, and processes the data in the United States under the EU US Data Privacy Framework. We only load Qualtrics if you accept.
Third-party domains contacted
qualtrics.comsiteintercept.qualtrics.comeu.qualtrics.comfra1.qualtrics.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| QSI_HistorySession | third_party | session | Stores the visit history used by Site Intercept eligibility logic |
| QSI_S_<survey id> | third_party | 6 months | Tracks eligibility and exposure to a specific intercept survey |
| Q_RequestID | third_party | session | Internal request identifier used by hosted survey pages |
| Q_LANG_PREF | third_party | 1 year | Remembers the language selected for hosted surveys |
Qualtrics uses cookies for user preferences — inform visitors with a consent banner.
The Site Intercept script typically sets QSI_HistorySession (visit history), QSI_S_<id> (intercept eligibility), Q_RequestID and other QSI_ prefixed cookies. The hosted survey page may also set session cookies on the qualtrics.com domain.
Yes. Site Intercepts write cookies and process personal data; Article 5(3) ePrivacy and Article 6 GDPR require prior consent before loading the script.
Consent for public surveys and intercepts. Contract performance or legitimate interest for in app feedback inside a paid product. For employee experience, free consent is rarely valid; rely on legitimate interest or a documented obligation.
Yes, even when you choose EU data centers. Qualtrics LLC is US headquartered and support engineers may access the system from the US. Coverage relies on the EU US Data Privacy Framework and Standard Contractual Clauses.
Recommended for employee experience surveys, patient or student feedback, sensitive topics, intercepts used for profiling, or enrichment with CRM data feeding automated decisions.
Use the EU brand center, block intercepts behind consent, disable IP collection when not needed, limit retention, pseudonymise contacts, restrict dashboards on a need to know basis, and document the processing in your records of processing activities.
LimeSurvey (Germany, open source), SurveyMonkey EU Datacenter, Tally (Belgium), Typeform with EU data residency, Survicate or in house solutions backed by an EU survey engine.
List every QSI_ cookie observed, the qualtrics.com session cookies and any localStorage entries, with purpose, lifetime and controller. Add a paragraph explaining the EU US Data Privacy Framework basis for the transfer.