{ Pick My Brain! is fixed price service tailored to early stage startups, gender wage gap adjusted for female founders. }

Reasons are many and vary why your leads aren’t converting to downloads, aren’t converting to sign-ups, converting to repeat users, and making your cohort analysis graphs look astonishing. Thus, the lack of sleep is not making you look good, and you’re starting to feel discouraged when browsing through yet another great growth hacking advice.

One of the not too obvious places to look when struggling with conversion is your data collection practices and privacy policy.

Part of taking privacy and security seriously is to not collect and store unnecessary private customer data. Trust and reputation rank high, especially when dealing with enterprise sales, putting your data collection practices and privacy policy even in a more central position. Trust takes a long time to earn, but no time lose – even if you hadn’t played a dirty game like Volkswagen: Auf Wiedersehen!

Below I have listed four reasons why I find collecting any private customer data that is not necessarily required by an application, specifically an enterprise one, as a concern from a business point of view. While the reasons are all both obvious and no-brainers, I hope they can serve as mental notification alerts when crafting your data collection practices and privacy policy.

Update: The EU General Data Protection Regulation (GDPR)

We now have a very strong fifth reason, of which there is NO escape from: It comes into force in May 2018 and applies to all companies processing any personal data of EU residents, regardless of the company’s location. Other key changes include:

  • Customer consent of data collection must be written in clear and plain language, automatic opt-in clauses will no longer be accepted.
  • A copy of a customer’s personal data must be provided in an electronic format, free of charge.
  • 72 hours notification period of first having become aware of a data breach.
  • Fine up to 4% of annual global turnover or €20 Million when failing to follow GDPR.


Jon-Stewart Bullshit

In an environment where phrases such as “Don’t ask for permission, ask for forgiveness”, “Move fast and break things”, and “Startups only advantage is speed, we’ll deal with it later” are burned into brains and printed on the walls, I’ve also prepared your counter arguments, so you don’t have to 🙂

1.”Growth Hacking Your (Enterprise) Customer Acquisition Process

Why create unnecessary barriers to entry than one already has as a new company entering a market? With customers getting more informed and proactive, your chances to reach out to potential leads before they’ve already made up their minds keep shrinking. Especially with self-service SaaS subscription models, when you’re yet to have a sales team in place, search engine results together with privacy policy and ToS is likely all a potential customer will know about you before clicking away to next potential service on the market. This is also why positive word of mouth is such a sought-after currency, and “Upvote us on Product Hunt” requests keep filling ones inbox.

Example: I was recently asked to give feedback on a mobile enterprise customer relations assistant, and while I for once was delighted to read “Our Respectful Privacy Policy” (as of Sep 25th 2015), where the company clearly lists all data it would automatically collect and store on its servers, I jumped on the breaks when I read the magnitude of private customer data also being collected and stored. It asks me to give permission to the kind of mobile phone data that got the European Union Data Retention Directive 2006/24/EC declared invalid last year due “serious interference with the rights to privacy and personal data protection of individuals“. It’s also the kind of data NSA was/is bulk collecting under the Patriot Act, until Edward Snowden decided it was no longer cool to do so. Furthermore, in case of a sale or M&A, my unrelated private data would be transferred to a new owner, as could it be disclosed to a potential purchaser during a process.

The company may very well need all the data it requires in order to provide the service, but without any technical reasoning, I had trouble understanding how “Bring your own apps” couldn’t be implemented without storing unrelated private customer data, nor why it couldn’t be optional to do so. The explanation I received from the CEO was “a conscious decision […] approach has to be bold to the point that it makes people like you initially uncomfortable […] looking to do a revolutionary change in the market”. Fair enough, one should have big and ambitions goals, and I wish them all the best.

Customer trust is primarily based on a gut feeling, a fact that every company needs to take into consideration and make a conscious decision about, as the company in this particular case had done. Its privacy policy was clear, and despite the fact that I know the company personally, it succeeded in making “people like me*” uncomfortable and unable to accept the terms, thus failing to convert me into a potential customer referral. (*I have built internal systems for sales teams, negotiated purchases and done due diligence on external services. While I no longer represent a company with a large sales organization, I have a network of sales executives.)

Your counter arguments:

  • “People don’t care (until they get hurt).”
  • “Customers who use free services know they are the product.”
  • “We only store metadata and/or share anonymized data with third parties.” Sorry, you know that’s BS

My point:

Don’t burn your customer acquisition budget by giving your potential customers any benefit of a doubt due to unnecessary private customer data collection and/or vague privacy policy .

Negative media spin

2. Negative Media Spin

What do you want a potential (enterprise) customer to find when it googles your company? That you’re a privacy nightmare like the recently released Microsoft’s Windows 10, or creepy like Spotify? Privacy policy is a true communication challenge, and there’s unfortunately a huge divide between a privacy policy and what people actually think they are agreeing on (52% of online Americans believe, that when a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users). Media outlets certainly don’t need a scope of a Ashley Madison data breach to start a negative media spin, they’re very capable of doing it by themselves. In fact they love to dig in, make lists, and the more mainstream media outlet, the worse and sensational the headlines.

And if you do mess up, say SORRY, as fast as Daniel Ek of Spotify did. Honest and sincere intention makes a difference, but to count it also needs fast and tangible follow-on actions. Lastly, DO NOT plead ignorance, if that’s truly not the case:

“False ignorance is lying. Don’t lie. That you learned in kindergarten, or you didn’t.” – Stephen Colbert

 Your counter arguments:

  • “Things will blow over.”
  • “For legal reasons we need to write privacy policy and ToS as broadly and vaguely as possible in order to avoid getting sued later.”

My point:

Sure, any media backlash will blow over in a 24h news cycle, but why smear your search results, waste time, and serve game advantage on a plate to your competitors while you keep spinning?

Ron Swanson Poop

3. Security

At some point in a company’s lifetime, its data is likely to be compromised (no news here). Either through internal mistakes, e.g. expose private user data to other users due to a caching failure, or via external attacks, like our recent favourite example – Ashley Madison.

Ashley Madison hack has not only made us witness how upset betrayers can feel about being betrayed (boohoo), the still silly state of passwords, brought us epic moments of comic relief, but most importantly, it serves as a masterpiece of false security, which at best can be described as having someone install a vault door (bcrypt) into a house made out of plywood (insecure MD5 hash tokens incl. passwords and other credentials hard-coded into the source code).

 Your counter arguments:

  • “We use the latest encryption methods and security practices.”
  • “We only store metadata and/or share anonymized data with third parties.” Sorry, you know that’s BS

My point:

When the shit hits the fan, don’t make it any worse by having stored unnecessary private customer data.

Tim Gunn Stunning I love you

4. Your Product Is A Reflection Of Your Data Collection Practices And Privacy Policy

Ultimately, a product is a reflection, and a result, of company values. Therefore, the entire set of company values, vision, and business thinking also needs to be an integral part of your early decision making process regarding data architecture and private customer data. Whether you look at data collection practices and privacy from a marketing, sales or product strategy point of view, I fully agree with Brian Solis:

“Availability of data is a gift, and if there’s a mutual benefit in the exchange of data, customers are willing to give you whatever data you need. Thus, the opportunity, and responsibility, lies in understanding human dynamics of what privacy means to people that aren’t us. We need to make it matter to people”.

Don’t sell your product short by turning your customers away already at the door. Instead, be mindful of your data collection practices and privacy policy and start growth hacking your cohort analysis graphs.


Paula is Digital Product Advisor and Top 100 Women in Tech in Europe, focusing on Product, Go-to-market, and Internationalization strategies. Rated as one of the very best startup mentors in Europe, she has to date mentored over 150 digital technology companies on product, marketing and growth. Pick My Brain! is her fixed price service tailored to early stage startups, gender wage gap adjusted for female founders. Contact Paula for digital strategy work or book her as keynote speaker about #Startups #WomenInTech #GenderEquality #Entrepreneurship. Read more about her work and connect @Twitter, @LinkedIn. “You never learn anything when you speak, only when you listen”Roelof Botha / Douglas Leone, Sequoia Capital