Privacy Policy

Last updated: April 6, 2026

Terms of Service Privacy Policy Acceptable Use Cookie Policy Accessibility

1. Data We Collect from Creators

  • Email address: for authentication and notifications
  • Name (optional): for display purposes
  • Payment information: processed by Stripe; we store only the payment method type and last four digits
  • Usage data: cycle creation, link management, export activity (for audit logging)

2. Data We Collect from Respondents

  • Feedback content: encrypted at rest in our database
  • IP hash: a SHA-256 one-way hash with an application-level salt, used solely for abuse prevention

3. What We Explicitly DO NOT Collect from Respondents

  • ✕ No cookies of any kind
  • ✕ No sessions or session tokens
  • ✕ No JavaScript analytics or tracking scripts
  • ✕ No browser fingerprinting
  • ✕ No tracking pixels or web beacons
  • ✕ No CDN tracking or request logging
  • ✕ No device identification
  • ✕ No geolocation (beyond country-level for abuse detection)

4. How IP Hashing Works

We never store raw IP addresses in feedback submissions. Instead, we compute a SHA-256 hash using your IP address combined with an application-level salt. This hash is:

  • Used only for detecting abuse patterns (rate limiting, duplicate detection)
  • Never visible to Creators
  • Not reversible: it cannot be used to determine your IP address
  • Deleted after the feedback cycle ends plus a 30-day retention period

5. Encryption

All feedback content is encrypted at rest using Laravel's encryption (AES-256-CBC). Even in the event of a database breach, feedback content would not be readable without the application's encryption key.

6. Third-Party Services

We do not share feedback content or respondent data with any third party.

7. Data Retention

  • Creator accounts: retained until account deletion
  • Feedback content: retained as long as the Creator's account is active
  • IP hashes: deleted 30 days after the feedback cycle ends
  • Abuse signals: deleted 30 days after the feedback cycle ends
  • Magic links: deleted 1 hour after expiry

8. Your Rights

Creators can: export all feedback data (CSV), delete their account and all associated data, and request information about stored data.

9. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Request correction of inaccurate personal data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to data portability: Receive your data in a machine-readable format (CSV export)
  • Right to restrict processing: Request that we limit how we use your data
  • Right to object: Object to processing of your personal data

Our legal basis for processing Creator data is contractual necessity (providing the service you signed up for). For Respondent IP hashes, our legal basis is legitimate interest (abuse prevention).

To exercise any of these rights, email [email protected]. We will respond within 30 days.

10. CCPA Compliance (California Users)

If you are a California resident, the California Consumer Privacy Act grants you the following rights:

  • Right to know: What personal information we collect, use, and share
  • Right to delete: Request deletion of your personal information
  • Right to opt-out: We do not sell personal information to third parties
  • Right to non-discrimination: We will not treat you differently for exercising your rights

We do not sell, rent, or share personal information with third parties for their marketing purposes.

11. Contact

For privacy questions or data requests: [email protected]