Privacy Policy

Your privacy is important to us. It is KoalaFeedback's ("KoalaFeedback," "we," "us," or "our") policy to respect your privacy and comply with any applicable law and regulation regarding any personal information we may collect about you, including across our website, koalafeedback.com, the feedback portals hosted for our customers, and other sites we own and operate. This policy is designed to be compliant with the General Data Protection Regulation (GDPR) and other relevant data protection laws.

This policy is effective as of 18-04-2025 (DD-MM-YYY) and was last updated on 18-04-2025 (DD-MM-YYY).

1. Information We Collect

Information we collect includes both information you knowingly and actively provide us when using or participating in any of our services and promotions, and any information automatically sent by your devices in the course of accessing our products and services.

1.1. Log Data

When you visit our website or use our services (including customer feedback portals), our servers (hosted by Hetzner in Nuremberg, Germany, and managed via Laravel Forge) may automatically log the standard data provided by your web browser. This may include your device’s Internet Protocol (IP) address (potentially processed via Cloudflare), your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, other details about your visit, and technical details that occur in conjunction with any errors you may encounter. This data is generally used for troubleshooting, security, monitoring service performance, and improving our services.

1.2. Personal Information

We may ask for personal information when you interact with our services. This may include:

For KoalaFeedback Customers (Users signing up for our service):

  • Name
  • Email Address
  • Company Name (optional)
  • Website URL (for custom domain setup)
  • Payment Information (processed securely through our third-party payment processor, Stripe)

For End-Users (Individuals interacting with a Customer's Feedback Portal):

When you interact with a feedback portal hosted by KoalaFeedback on behalf of one of our customers, you may provide personal information, potentially including:

  • Name (if provided)
  • Email Address (if using email login or provided by SSO)
  • Information from third-party login providers (if you choose to log in via Google, Facebook, Github, or Discord, we may receive profile information like your name and email address according to the provider's policies and your privacy settings).

KoalaFeedback processes this end-user information on behalf of our customer, who acts as the data controller for the information collected through their specific feedback portal. See Section 7 for more details.

1.3. User Content

We collect content that you (as a customer or an end-user) submit while using our services ("User Content"). For end-users, this primarily includes feedback submissions, comments, and votes submitted through a customer's feedback portal. For customers, this includes configuration data and settings for your feedback portal.

1.4. Cookies and Similar Technologies

We use cookies and similar technologies (like pixels and web beacons) to collect information about your activity across our site and potentially on customer feedback portals. A cookie is a small piece of data that our website stores on your computer and accesses each time you visit. This helps us understand how you use our site, serve you content based on preferences, manage sessions, and track the effectiveness of our services and advertising.

We use the following types of cookies:

  • Essential Cookies: Necessary for the operation of our website and services (e.g., enabling login, managing your session, processing payments via Stripe).
  • Performance & Analytics Cookies: Collect information about how you use our website and services (e.g., pages visited, interactions). We use this aggregated information to improve our platform.
  • Functionality Cookies: Allow our website to remember choices you make (e.g., language preference) and provide enhanced features.
  • Targeting/Advertising Cookies: May be used by us or third parties to deliver advertisements relevant to you or measure advertising campaign effectiveness (primarily on our main marketing site).

We use the following third-party services that may set cookies or use similar tracking technologies:

You can typically control or disable cookies through your browser settings or manage preferences via tools like Cookiebot where implemented. However, disabling essential cookies may prevent you from using certain features of our website or services.

2. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), we rely on the following legal bases to process your personal information:

  • Contractual Necessity: Processing your personal information is necessary for the performance of a contract to which you are a party (i.e., our Terms of Service with our Customers) or to take steps at your request prior to entering into such a contract (e.g., creating an account). For end-users interacting with portals, our processing is necessary to provide the service to our customer, which enables the interaction.
  • Legitimate Interests: We may process your personal information based on our legitimate interests, such as operating and improving our services, ensuring security, marketing our products (to prospective and current customers), and preventing fraud. We will only rely on this basis where our interests are not overridden by your data protection interests or fundamental rights and freedoms.
  • Consent: In some cases, we may rely on your consent to process your personal information (e.g., for certain types of cookies, or specific marketing communications). You have the right to withdraw your consent at any time. For end-users on portals, consent for non-essential cookies or specific data uses may be managed by our customer via the portal settings or tools like Cookiebot.
  • Legal Obligation: We may process your information where necessary to comply with a legal obligation to which we are subject.

3. Collection and Use of Information

We may collect, hold, use, and disclose information for the following purposes:

  • To provide you (our Customer) with our core services (hosting and managing your feedback portal).
  • To enable end-users to submit feedback, comments, and votes on customer portals.
  • To enable you (Customer and End-User) to customize or personalize your experience of our services.
  • To process payments for customer subscriptions.
  • To contact and communicate with you (including responding to inquiries and providing customer support).
  • For analytics, market research, and business development, including to operate and improve our website, associated applications (feedback portals), and associated social media platforms.
  • For advertising and marketing (primarily directed at potential or existing customers), including sending promotional information about our products and services (you can opt-out of marketing communications).
  • To enable you to access and use our website and associated applications (feedback portals).
  • For internal record keeping and administrative purposes.
  • To comply with our legal obligations and resolve any disputes.
  • For security and fraud prevention, including monitoring activity (e.g., via logs, Microsoft Clarity) and ensuring our sites and apps are safe, secure, and used in line with our Terms of Service.
  • To perform regular data backups for disaster recovery purposes.

4. Disclosure of Personal Information to Third Parties

We may disclose personal information to:

  • Service Providers: Third-party service providers who assist us in providing and improving our services, such as:
    • Payment processors (Stripe)
    • Hosting providers (Hetzner)
    • Server management services (Laravel Forge)
    • Deployment services (Laravel Envoyer)
    • DNS and security providers (Cloudflare)
    • Analytics platforms (Google Analytics, Microsoft Clarity)
    • Marketing and CRM platforms (Bentonow.com)
    • Cookie consent management platforms (Cookiebot)
    • Advertising platforms (Meta/Facebook Pixel - primarily for our marketing site)
    • Third-party login providers (Google, Facebook, Github, Discord - only when used for login)
    • IT service providers and data storage providers
  • Our Customers: If you are an end-user submitting feedback on a customer's portal, your submitted User Content and associated profile information (name/email if provided/available via SSO) will be visible to the customer who owns that portal.
  • Affiliates: A parent, subsidiary, or affiliate of our company.
  • Business Partners: Our existing or potential agents or business partners.
  • Legal Authorities: Courts, tribunals, regulatory authorities, and law enforcement officers, as required by law, in connection with any actual or prospective legal proceedings, or in order to establish, exercise, or defend our legal rights.
  • Third parties during business transfers: If we or our assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, data (including your personal information) would be among the assets transferred to any parties who acquire us.
  • Other third-parties: Third parties to collect and process data on our behalf, subject to contractual safeguards.

We ensure that these third parties are contractually obligated to protect your personal information in accordance with applicable data protection laws where required.

5. International Data Transfers

The personal information we collect is primarily stored and processed in Germany (via Hetzner). However, we and our third-party service providers may transfer, store, and process your information in other countries outside of where you live.

These countries may have data protection laws that are different from the laws of your country. When we transfer personal information outside the European Economic Area (EEA), we will ensure that the transfer complies with applicable law, for example by implementing Standard Contractual Clauses (SCCs) approved by the European Commission, relying on an adequacy decision, or using other legally recognized mechanisms.

Specifically, service providers like Stripe, Google, Meta, Microsoft, Cloudflare, and Bentonow may process data in the United States or other locations globally. We rely on their commitments to process data in accordance with GDPR requirements for international transfers.

6. Data Security

We take the security of your personal information seriously. We implement commercially reasonable technical and organizational measures to protect your personal information from loss, theft, unauthorized access, disclosure, copying, use, or modification. These measures include:

  • Secure hosting infrastructure (Hetzner).
  • Encryption of sensitive data where appropriate (e.g., potentially passwords, data in transit via HTTPS).
  • Access controls to limit personnel access to personal information.
  • Regular security assessments and updates to our systems.
  • Daily database backups to aid in disaster recovery.
  • Use of reputable third-party services with strong security practices (e.g., Stripe for payments).

However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute data security. We will comply with laws applicable to us in respect of any data breach.

You are responsible for maintaining the confidentiality of your account credentials (for KoalaFeedback customers) and for any activity that occurs under your account.

7. Data Collected via Customer Feedback Portals

KoalaFeedback provides the platform for our customers to create and manage their own feedback portals. Our customers determine what information is collected through their portals and how it is used.

  • Data Controller: For personal information collected from end-users through a specific feedback portal (e.g., feedback submissions, comments, votes, end-user profile information), the KoalaFeedback customer who owns that portal is generally the Data Controller under GDPR.
  • Data Processor: KoalaFeedback acts as a Data Processor on behalf of our customer for this end-user data. We process this data solely to provide the KoalaFeedback service as instructed by our customer through their use of the platform and according to our Terms of Service and Data Processing Addendum (if applicable).
  • End-User Login: End-users may log in via email (magic link) or supported third-party providers (Google, Facebook, Github, Discord). We process the necessary information to facilitate these logins on behalf of the customer.
  • End-User Rights: If you are an end-user and wish to exercise your data protection rights (like access or deletion) regarding information submitted to a specific feedback portal, you should generally direct your request to the KoalaFeedback customer (the portal owner) first. We will assist our customers in responding to such requests as required by law and our agreements.

8. Your Rights (GDPR and Other Rights)

You have certain rights regarding your personal information, subject to local data protection laws. Depending on your location (especially if in the EEA), these may include:

  • Right of Access: The right to request copies of your personal information.
  • Right to Rectification: The right to request correction of inaccurate or incomplete information.
  • Right to Erasure ("Right to be Forgotten"): The right to request deletion of your personal information under certain conditions.
  • Right to Restrict Processing: The right to request the restriction of processing of your personal information under certain conditions.
  • Right to Data Portability: The right to receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller under certain conditions.
  • Right to Object: The right to object to processing based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, the right to withdraw that consent at any time.

Exercising Your Rights: If you are a KoalaFeedback customer, you can exercise many of these rights through your account settings or by contacting us directly. If you are an end-user of a customer's feedback portal, please direct your rights requests primarily to the owner of that portal (our customer). We will support our customers in fulfilling these requests. If you contact us directly, we may need to forward your request to the relevant customer.

To exercise any rights by contacting us, please use the details provided below. We may need to verify your identity before processing your request.

9. How Long We Keep Your Personal Information

We keep your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (such as for tax, accounting, or other legal requirements).

  • Customer Account Data: We retain your information as long as your KoalaFeedback account is active and for a reasonable period thereafter as necessary for legitimate business purposes (e.g., record-keeping, resolving disputes, enforcing agreements) or legal obligations.
  • End-User Data on Portals: We retain end-user data processed on behalf of our customers for as long as the customer maintains their account with us and instructs us to retain the data, or as required to provide the service. Customers can typically manage or delete data within their portals. When a customer account is terminated, associated portal data will be deleted according to our data retention schedules, unless required otherwise by law.
  • Log Data & Analytics: Log data and aggregated analytics data may be kept for longer periods for security analysis and service improvement but are generally anonymized or pseudonymized where feasible.
  • Backups: Database backups are retained for a limited period (e.g., 7-30 days) for disaster recovery purposes and then securely deleted.

When your personal information is no longer required for these purposes, we will delete it or anonymize it.

10. Children's Privacy

Our services are not directed to children under the age of 16 (or a lower age if permitted by applicable law). We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us. If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to remove that information from our servers.

11. Complaints

If you believe that we have breached a relevant data protection law and wish to make a complaint, please contact us using the details below and provide us with full details of the alleged breach. We will promptly investigate your complaint and respond to you, in writing, setting out the outcome of our investigation and the steps we will take to deal with your complaint. You also have the right to contact a supervisory authority or data protection authority in your jurisdiction (e.g., the Autoriteit Persoonsgegevens in the Netherlands, if applicable, or the relevant authority in your country of residence).

12. Changes to This Policy

We may change this Privacy Policy from time to time at our discretion to reflect updates to our business processes, current acceptable practices, or legislative or regulatory changes. If we make significant changes, we will notify you via email (if you are a customer) or by posting a notice on our website. Your continued use of our site and services after any changes to this policy will be regarded as acceptance of our practices around privacy and personal information.

13. Contact Us

For any questions or concerns regarding your privacy, or to exercise your rights, you may contact us using the following details:

KoalaFeedback
Email: [email protected]