Privacy Policy

Effective date: April 10, 2026 · Version 2026-04-10.0

1. Introduction and Scope

This Privacy Policy describes how [COMPANY_NAME] ("we", "us", "our") collects, uses, stores, and protects personal information in connection with the [PLATFORM_NAME] platform (the "Service") available at [WEBSITE_URL].

This Policy applies to:

• Registered users of the Service ("Customers" or "Users")
• End-users who submit feedback through forms created by our Customers ("Respondents")
• Visitors to our website

This Policy does not apply to:

• Data that Customers collect independently of our Service. Customers are independent data controllers for personal data they input beyond what is described here. See our Data Processing Agreement for details.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are

[COMPANY_NAME]
[COMPANY_LEGAL_ADDRESS]

Email: [PRIVACY_CONTACT_EMAIL]
Website: [WEBSITE_URL]

For GDPR purposes:

• Customer account data: we act as a data controller.
• Respondent feedback data: we act as a data processor on behalf of Customers.

For EEA/UK/Swiss residents: contact our Data Protection representative at [DPO_EMAIL].

3. Key Definitions

• Customer — a company or individual with a registered account on the Service.
• User — an employee or team member with access to a Customer's account.
• Respondent — a person who submits feedback through a form created by a Customer.
• Feedback — text, voice recordings, or structured input submitted by a Respondent.
• Personal Data — any information that identifies or can reasonably identify a natural person.

4. Data We Collect and Why

4.1 Account Data

When registering or being invited, we collect: name, email address, password (stored only in hashed form), Google account identifiers (if using Google sign-in), company information (name, email, phone, logo), user role, and timestamps.

4.2 Authentication Data

We use token-based authentication. Session tokens are stored in your browser's local storage. We track failed login attempts to prevent brute-force attacks. We do not use tracking cookies.

4.3 Feedback Data

When a Respondent submits feedback, we collect: feedback content, submission timestamp, browser information (for anti-fraud), and optionally name and email (only if the Respondent chooses to share their identity). Voice recordings, if submitted, are transcribed and not permanently stored after transcription.

Respondents: feedback is collected on behalf of Customers, who are the data controllers. To exercise your data rights, contact the company whose form you used. If you cannot reach them, contact us at [PRIVACY_CONTACT_EMAIL].

4.4 AI Analysis

Feedback is analyzed by AI to generate summaries, sentiment analysis, emotional traits, intent signals, and semantic search capabilities. This involves sending feedback content to third-party AI providers (see Section 6).

4.5 Usage Data

We track AI feature usage for billing and plan management.

4.6 Audit Logs

We maintain logs of security-relevant actions (logins, logouts, administrative actions) including user identifiers, event type, IP address, and timestamp. Audit logs are automatically deleted after a short retention period.

4.7 Browser Storage

We use browser localStorage and sessionStorage for session tokens and user preferences (language, theme, layout). No data stored in browser storage is shared with third parties. You can clear this data at any time by logging out or clearing your browser storage.

We do not use tracking pixels, behavioral advertising, or third-party analytics.

5. Legal Bases for Processing (GDPR)

If you are in the EEA, UK, or Switzerland, we process your data under the following bases:

• Performance of contract (Art. 6(1)(b)) — account management, authentication, billing, AI analysis
• Legitimate interests (Art. 6(1)(f)) — feedback processing, security, audit logs
• Consent (Art. 6(1)(a)) — identity sharing by Respondents, voice recording

6. Third-Party Services

6.1 AI Providers

• OpenAI (USA) — text analysis, summarization, voice transcription
• Anthropic (USA) — text analysis, summarization

6.2 Infrastructure

• Google Cloud Platform (USA) — cloud hosting, database, cache

6.3 Authentication

• Google OAuth 2.0 — Sign-in with Google

A current list of sub-processors is maintained in our Data Processing Agreement.

7. International Data Transfers

Our infrastructure is hosted in the United States. If you are in the EEA, UK, or Switzerland, your data will be transferred to and processed in the US.

We rely on Standard Contractual Clauses (SCCs), Data Processing Agreements with all sub-processors, and the EU-U.S. Data Privacy Framework where applicable.

You may request a copy of the relevant transfer mechanisms at [PRIVACY_CONTACT_EMAIL].

8. Data Retention

• Account data — lifetime of the account; deleted immediately on account deletion
• Feedback and AI analysis — lifetime of the Customer's account
• Session tokens — short-lived, automatically expired
• Audit logs — up to 7 days (up to 365 days for data-export audit trail)
• Voice recordings — deleted immediately after transcription
• Billing and tax records — up to 7 years as required by law

8.1 Account Deletion

On-demand: Customers may delete their account at any time from account settings. Deletion is immediate, irreversible, and removes all associated data.

Inactive accounts: we automatically delete inactive accounts — after 6 months without sign-in (accounts that never had a paid subscription) or 12 months (accounts that previously had a paid subscription). Accounts with an active paid subscription are never auto-deleted. A warning email is sent 30 days before auto-deletion. Signing in cancels the deletion.

8.2 Imported Feedback

Feedback imported from third-party platforms follows the same retention rules, unless the source platform's terms require shorter retention.

9. Your Rights

EEA / UK / Swiss Residents

You have the right to: access, rectify, erase, restrict processing, data portability, object to processing, withdraw consent, and object to automated decision-making.

Email [PRIVACY_CONTACT_EMAIL] with subject "Data Subject Request". We respond within 30 days.

Respondents: contact the Customer (data controller) directly.

You may lodge a complaint with your local supervisory authority.

All Users

• Update your data in account settings
• Delete your account at any time from account settings
• Opt out of identity sharing when submitting feedback

10. Children's Privacy

The Service is not directed to individuals under 16 (or 13 in the US). We do not knowingly collect data from children.

11. Security

We implement appropriate technical and organizational measures to protect your data, including encryption in transit, hashed password storage, short-lived authentication tokens, brute-force protection, strict data isolation between customers, role-based access control, and monitored support access.

No method of electronic transmission or storage is 100% secure. In the event of a data breach, we will notify affected individuals and authorities as required by law.

12. California Residents — CCPA/CPRA

If you are a California resident, you have the right to know what personal information is collected, delete your information, correct inaccuracies, and opt out of sale or sharing.

We do not sell personal information. We do not share it for cross-context behavioral advertising.

Email [PRIVACY_CONTACT_EMAIL] with subject "CCPA Request". We respond within 45 days.

13. Changes to This Policy

We may update this Policy. Material changes will be communicated via updated date, email notification where required, and in-app notice. Continued use after the effective date constitutes acceptance.

14. Contact Us

[COMPANY_NAME]
Email: [PRIVACY_CONTACT_EMAIL]
Address: [COMPANY_ADDRESS]
Website: [WEBSITE_URL]

EEA/UK residents: [DPO_EMAIL]

We aim to respond within 5 business days.