{ Pick My Brain! is fixed price service tailored to early stage startups, gender wage gap adjusted for female founders. }

Reasons are many and vary why your leads aren’t converting to downloads, aren’t converting to sign-ups, aren’t converting to repeat users, aren’t making your cohort analysis graphs look astonishing, thus the lack of sleep is not making you look good. You’re starting to feel discouraged when browsing through yet another great growth hacking advice.

One of the not too obvious places to look when struggling with conversion is your data collection practices and privacy policy.

Part of taking privacy, and security, seriously is not collecting and storing unnecessary private customer data. With enterprise sales, trust and reputation rank high, and data collection practices and privacy play even more central role. Trust takes a long time to earn, but no time lose – even if you hadn’t played dirty: Auf Wiedersehen VW

Below I list few reasons why I find storing any private customer data not required by an application, specifically an enterprise one, as a concern from a business point of view. While the reasons are all both obvious and no-brainers, I hope they can serve as mental notification alerts when crafting your data collection practices and privacy policy.

In an environment where phrases such as “Don’t ask for permission, ask for forgiveness”, “Move fast and break things”, and “Startups only advantage is speed, we’ll deal with it later” are burned into the brains and printed on the walls, I’ve also prepared your counter arguments, so you don’t have to 🙂

Jon-Stewart Bullshit


Why create unnecessary barriers to entry than one already has as a new company entering a market? With customers getting more informed and proactive, your chances to reach out to potential leads before they’ve already made up their minds keep shrinking. Especially with self-service SaaS subscription models, when you’re yet to have a sales team in place, search engine results together with privacy policy and ToS is likely all a potential customer will know about you before clicking away to next potential service on the market. This is also why positive word of mouth is such a sought-after currency, and “Upvote us on Product Hunt” requests keep filling ones inbox.

Example: I was recently asked to give feedback on a mobile enterprise customer relations assistant, and while I for once was delighted to read “Our Respectful Privacy Policy” (as of Sep 25th 2015), where the company clearly lists all data it would automatically collect and store on its servers, I jumped on the breaks when I read the magnitude of private customer data also being collected and stored. It asks me to give permission to the kind of mobile phone data that got the European Union Data Retention Directive 2006/24/EC declared invalid last year due “serious interference with the rights to privacy and personal data protection of individuals“. It’s also the kind of data NSA was/is bulk collecting under the Patriot Act, until Edward Snowden decided it was no longer cool to do so. Furthermore, in case of a sale or M&A, my unrelated private data would be transferred to a new owner, as could it be disclosed to a potential purchaser during a process.

The company may very well need all the data it requires in order to provide the service, but without any technical reasoning, I had trouble understanding how “Bring your own apps” couldn’t be implemented without storing unrelated private customer data, nor why it couldn’t be optional to do so. The explanation I received from the CEO was “a conscious decision […] approach has to be bold to the point that it makes people like you initially uncomfortable […] looking to do a revolutionary change in the market”. Fair enough, one should have big and ambitions goals, and I wish them all the best.

Customer trust is primarily based on a gut feeling, a fact that every company needs to take into consideration and make a conscious decision about, as the company in this particular case had done. Its privacy policy was clear, and despite the fact that I know the company personally, it succeeded in making “people like me”* uncomfortable and unable to accept the terms, thus failing to convert me into a potential customer referral. (*I have built internal systems for sales teams, negotiated purchases and done due diligence on external services. While I no longer represent a company with a large sales organization, I have a network of sales executives.)

Your counter arguments:

  • “People don’t care (until they get hurt).”
  • “Customers who use free services know they are the product.”
  • “We only store metadata and/or share anonymized data with third parties.” Sorry, you know that’s BS

My point:

Don’t burn your customer acquisition budget by giving your potential customers any benefit of a doubt due unnecessary private customer data collection and/or vague privacy policy .

Negative media spin


What do you want a potential (enterprise) customer to find when it googles your company? That you’re a privacy nightmare like the recently released Microsoft’s Windows 10, or creepy like Spotify? Privacy policy is a true communication challenge, and there’s unfortunately a huge divide between a privacy policy and what people actually think they are agreeing on (52% of online Americans believe, that when a company posts a privacy policy, it ensures that the company keeps confidential all the information it collects on users). Media outlets certainly don’t need a scope of a Ashley Madison data breach to start a negative media spin, they’re very capable of doing it by themselves. In fact they love to dig in, make lists, and the more mainstream media outlet, the worse and sensational the headlines.

And if you do mess up, say SORRY, as fast as Daniel Ek of Spotify did. Honest and sincere intention makes a difference, but to count it also needs fast and tangible follow-on actions.

Lastly, DON’T plead ignorance if that’s truly not the case. “False ignorance is lying. Don’t lie” – Stephen Colbert.

 Your counter arguments:

  • “Things will blow over.”
  • “For legal reasons we need to write privacy policy and ToS as broadly and vaguely as possible in order to avoid getting sued later.”

My point:

Sure, any media backlash will blow over in a 24h news cycle, but why smear your search results, waste time, and serve game advantage on a plate to your competitors while you keep spinning?

Ron Swanson Poop


At some point in a company’s lifetime, its data is likely to be compromised (no news here). Either through internal mistakes, e.g. expose private user data to other users due to a caching failure, or via external attacks, like our recent favourite example – Ashley Madison.

Ashley Madison hack has not only made us witness how upset betrayers can feel about being betrayed (boohoo), the still silly state of passwords, brought us epic moments of comic relief, but most importantly, it serves as a masterpiece of false security, which at best can be described as having someone install a vault door (bcrypt) into a house made out of plywood (insecure MD5 hash tokens incl. passwords and other credentials hard-coded into the source code).

 Your counter arguments:

  • “We use the latest encryption methods and security practices.”
  • “We only store metadata and/or share anonymized data with third parties.” Sorry, you know that’s BS

My point:

When the shit hits the fan, don’t make it any worse by having stored unnecessary private customer data.

Tim Gunn Stunning I love you


Ultimately, a product is a reflection, and a result, of company values. Therefore, the entire set of company values, vision, and business thinking also needs to be an integral part of your early decision making process regarding data architecture and private customer data. Whether you look at data collection practices and privacy from a marketing, sales or product strategy point of view, I fully agree with Brian Solis on, that

“Availability of data is a gift, and if there’s a mutual benefit in the exchange of data, customers are willing to give you whatever data you need. Thus, the opportunity, and responsibility, lies in understanding human dynamics of what privacy means to people that aren’t us. We need to make it matter to people”.

Don’t sell your product short. Be mindful of your data collection practices and privacy policy. Make them matter.

Paula is Digital Product Advisor and Top 100 Women in Tech in Europe, focusing on Product, Go-to-market, and Internationalization strategies. Rated as one of the very best startup mentors in Europe, she has to date mentored over 150 digital technology companies on product, marketing and growth. Pick My Brain! is her fixed price service tailored to early stage startups, gender wage gap adjusted for female founders. Contact Paula for digital strategy work or book her as keynote speaker about #Startups #WomenInTech #GenderEquality #Entrepreneurship. Read more about her work and connect @Twitter, @LinkedIn. “You never learn anything when you speak, only when you listen”Roelof Botha / Douglas Leone, Sequoia Capital