Of course you can collect passwords and other sensitive information in Unbounce… but should you?
The answer is no. Definitely not.
TL;DR: Unbounce forms are not encrypted, so don’t use them to collect personal information. Data collected online is the sole responsibility of the collector who is bound by relevant, applicable laws that are different depending on your municipality.
While Unbounce supports SSL (secure sockets layer), Unbounce forms are not encrypted. In other words, SSL establishes an encrypted link between server and client so that information passed from your landing page to our servers can’t be intercepted. Once your data arrives to the Unbounce server, you (and other users in your Unbounce account) can go in, view it and download it.
Of course, here at Unbounce, we can’t stop you from collecting sensitive data on your landing pages but you should know that there are rules in play - and they’re different depending on where you live - countries and even states have their own laws for collecting sensitive information online. While the details and penalties vary, the general consensus is that information collected online is solely the responsibility (and liability) of the person who collects it.
Similar to Google’s PII (personally identifiable information) policy, we recommend not using Unbounce to collect sensitive and/or personal information, including:
Passwords
Credit card & banking details
Social security numbers and/or social insurance numbers
It’s pretty common for Unbounce customers to ask questions about the data that passes through Unbounce landing pages. And, hey, questions are always good. Here are some of the most common:
Where is Unbounce data stored?
Pages are replicated across four fully redundant servers: US-West, US-East, Singapore, and Ireland. Any page data (lead information, uploaded assets, and page statistics) is replicated across our US servers. We automatically detect and route around any failures in any one of our data centres using Amazon’s Route 53 DNS and latency-based routing. This automatic failover means that a single error in any one data centre will only affect a portion of published page traffic for a short amount of time (within minutes).
Who has access to data that passes through Unbounce?
All of your lead data can be accessed through the leads portal by any users associated with your account. Unbounce data can also be viewed as customer profile data, which is stored in a database on Amazon’s EC2 servers. This data is replicated to a hot standby in case of failure so that we can minimize any downtime.
Where are my landing pages hosted?
All of your Unbounce pages are stored in S3, which is a robust data storage service managed by Amazon Web Services. We do nightly backups of the database that contains your page sources and that database is replicated in real time across our servers.
Is data that passes through Unbounce landing pages encrypted?
In order to make your leads visible, Unbounce forms do not encrypt data.
Where are Unbounce passwords stored? (the password you use to login to your Unbounce account)
When you created your Unbounce account, you created a password that you use to login in to Unbounce. That password is encrypted with Bcrypt and is not stored to the Unbounce Web App.
For the record, all of these are covered in Unbounce’s Terms of Services, which you can find right here.