How might we...
...ensure users feel safe uploading sensitive data?
Qiscus is an Indonesian-based startup, founded in 2013, that joined the TTC Design Jam for Notice and Consent in Singapore in mid 2020.
Qiscus is a multichannel conversation platform that helps businesses to engage in timely conversations at scale, through the use of chat interfaces. The service exists across multiple platforms, such as Whatsapp, Messenger and Live Chat on the web, and allows its clients to converse with customers throughout all stages of the customer experience.
The business also helps their clients digitalize their existing services using chat technologies. Though based in Indonesia, Qiscus exists to service clients across the APAC region and beyond.
Qiscus want to help their clients, which usually is a customer service division from an industry, to handle notice and consent when sensitive information such as healthcare data is collected when using Qiscus
Qiscus clients need to be informed about how data is collected and used to help them feel safe when using the product. In order to do that, effective and interesting copywriting is a must so that customer could be more aware of Qiscus policies.
How might we...
...ensure users feel safe uploading sensitive data?
Qiscus is a B2B2C business that handles communication between its clients and their customers. Qiscus’s clients might be anyone from a small education provider to a large healthcare organisation. As such, sensitive privacy data may pass through Qiscus servers without the end user being explicitly aware.
For the purpose of this Design Jam, Qiscus chose to focus on helping their clients – those who work at organisations running the Qiscus platform – as opposed to the end user (a member of the public who’s communicating with that organisation).
Qiscus created two personas: Laras, who is head of customer service for an education platform, who has little data literacy and awareness, and Jacob, a data scientist at a Healthcare platform, who is highly informed, and has a strong interest in maintaining privacy integrity for his platform’s customers.
"I only have a little bit of understanding about data privacy, I could not differentiate which data is supposed to be protected and which data is free to be opened. I do not have the time to learn more about data privacy even though I am occasionally dealing with customers’ sensitive data.” (Laras)
"I value data privacy, and I always try my best to keep the privacy for the sake of other people, the company, and even myself. So I am willing to learn more about data privacy policy.” (Jacob)
Qiscus want to help their clients, which usually is a customer service division from an industry, to handle notice and consent when sensitive information such as healthcare data is collected when using Qiscus
Qiscus clients need to be informed about how data is collected and used to help them feel safe when using the product. In order to do that, effective and interesting copywriting is a must so that customer could be more aware of Qiscus policies.
The team decided to focus predominantly meeting Jacob’s needs – that of a data literate person, who as part of their job, requires a comprehensive understanding of the data and privacy implications of using the Quiscus platform. The challenge of meeting the health care industry’s stringent standards created an aspirational ‘high water mark’ for excellence in communicating Qiscus’s data use policies. ‘How can Qiscus help its users become more aware of the data they obtain and the policy for the use of sensitive data, such as health care data?
Qiscus were very aware that Jacob was an important persona to design for however a majority of their clients didn’t have such stringent requirements for data privacy. The team still saw the need to educate all customers about the use of their data without unduly impacting their experience. As Qiscus put it: ‘How to deliver privacy policy more effectively to users so that users are more aware without making users annoyed?’
Working with both of these considerations in mind helped Qiscus recognise that their solution required more than a ‘one-size fits all’ design.
Qiscus collects two types of data: personal and service data.
Personal data includes such things as:
Service data relates to the use of their website, for example
Data education as a feature
Explanations of data use are not relegated to hidden parts of the site such as Terms & Conditions pages. Information about how data is used is highlighted and featured much more prominently. It uses a simple delivery style with illustrative infographic illustrations to make it more effective. The creation of an illustrated character, Roqis the Robot Data Defender, makes the subject of privacy protection much more engaging and accessible for users who are often conditioned to skip through dry and unengaging privacy notices.
Up front data education
The privacy policy was previously only part of the product onboarding flow – once a client had bought the product and was setting up its use for the first time. Now information about data use is on the homepage of the website – a positive differentiator for the platform – and positioned to drive clients to consider customer data privacy as a fundamentally important aspect of their B2C service.
Multiple layers of depth
Recognising that some clients both want and need full documentation to understand the nuance of customer data protection, while others need a more basic overview, Qiscus have designed two ways for people to get acquainted with their data policy: when users choose to not read the privacy policy page during onboarding, they will get a short version of the privacy policy through their email.
We provide data education during onboarding before users register and use Qiscus. In addition, we also provide an easy-to-access button on the homepage to get to know the data flow on Qiscus, along with a privacy policy.
Roqis greets the user as a data defender and displays an overview of the relationship between user data, user company and Qiscus products and services.
We sort at least 5 important points that are often asked by users about data security and privacy policy. We still provide further information around consent in More Policy
When users choose to ignore the privacy policy page, they can get a short version of the Qiscus privacy policy in pdf format via email.