Privacy Policy

This Privacy Policy explains how Customer Feedback Simplified collects, uses, stores, shares, and protects personal data when you use our customer feedback collection platform. It is drafted to align with GDPR, the Digital Personal Data Protection Act, 2023, the DPDP Rules, 2025, and the Information Technology Rules, 2011.

Policy Version
privacy-policy-v1.0.0
Effective Date
2026-03-27
Contact
customerfeedbacksimplified@gmail.com

1. Introduction and Scope

Welcome to Customer Feedback Simplified. This Privacy Policy applies to the Service available at https://customerfeedbacksimplified.com/ and explains how personal data is handled when businesses register, configure questionnaires, and process feedback.

Important: our dual role

We act as a Data Controller / Data Fiduciary for registered business account data, and as a Data Processor on behalf of business customers for feedback submitted by their end-users.

2. Controller and Processor Roles

2.1 Registered business users

When you create a business account, we determine the purposes and means of processing your account information. In that context, we are the Data Controller under GDPR and the Data Fiduciary under the DPDP Act.

2.2 Feedback respondents

When feedback respondents submit responses to questionnaires created by our customers, we act only on the instructions of that business customer. The business that collected the feedback is the responsible controller / fiduciary for that data.

  • DSR requests from respondents should be directed to the business that collected the feedback.
  • We assist business customers with processor obligations under their instructions.
  • We maintain Data Processing Agreements with registered business customers.

Business customers may request our DPA template at customerfeedbacksimplified@gmail.com.

3. Information We Collect

3.1 Registered business users

  • Business name and registered address
  • Contact person details, email address, and login credentials
  • Subscription tier, billing history, and questionnaire settings
  • Password hashes stored securely using bcrypt

3.2 Feedback respondents

  • Name, email address, or phone number if a business chooses to collect them
  • Ratings, scores, structured answers, and free-text comments
  • Automatic PII redaction for free-text responses, including emails, phone numbers, Aadhaar numbers, PAN numbers, UPI IDs, and similar identifiers

3.3 Technical and usage data

  • IP address data, hashed and anonymised within 24 hours
  • Browser type, device type, operating system, and session activity
  • Server access logs retained for 90 days

4. Lawful Basis for Processing

We process personal data only where a lawful basis exists under Article 6 GDPR and Section 4 of the DPDP Act.

Processing ActivityLawful Basis
Creating and managing your accountContractual necessity - Art. 6(1)(b) GDPR / Sec. 7(b) DPDP Act
Providing the feedback platform serviceContractual necessity - Art. 6(1)(b) GDPR / Sec. 7(b) DPDP Act
Sending service-related notificationsContractual necessity - Art. 6(1)(b) GDPR / Sec. 7(b) DPDP Act
Platform security and fraud preventionLegitimate interests - Art. 6(1)(f) GDPR / Sec. 7(j) DPDP Act
Improving platform featuresLegitimate interests - Art. 6(1)(f) GDPR / Sec. 7(j) DPDP Act
Marketing communications (opt-in)Consent - Art. 6(1)(a) GDPR / Sec. 6 DPDP Act
Compliance with legal obligationsLegal obligation - Art. 6(1)(c) GDPR / Sec. 7(a) DPDP Act
Processing feedback on behalf of businessesProcessor under instruction - Art. 28 GDPR / Sec. 8 DPDP Act

5. How We Use Information

5.1 For business users

  • Provide, maintain, and improve the platform
  • Manage subscriptions, support requests, and service notices
  • Detect and prevent fraud, abuse, and security threats
  • Comply with legal and contractual obligations

5.2 For feedback data

  • Store and display responses for the relevant business customer
  • Generate anonymised analytics and reports
  • Apply PII redaction before storage
  • Fulfil DSR instructions received from the business customer

We do not

  • Sell, rent, or trade personal data to third parties
  • Use respondent data for our own marketing
  • Profile respondents for automated decision-making

6. Data Sharing and Subprocessors

We share data only with trusted subprocessors under contractual obligations to maintain confidentiality and security.

  • Hetzner Online GmbH for EU-hosted server infrastructure, with a signed DPA
  • Email service providers for transactional messages such as account verification
  • Payment processor details will be added if and when a payment gateway is integrated

We do not use third-party analytics tools that process personal data and we do not share data with advertising networks.

7. International Data Transfers

Personal data is stored on Hetzner servers located within the European Union. For Indian users, where cross-border restrictions apply under the DPDP framework, we will maintain and update appropriate safeguards in line with notified requirements.

8. Data Retention

We retain personal data only for as long as necessary for the stated purpose or as required by law.

Data CategoryRetention Period
Business account dataDuration of subscription + 30 days after account termination
Feedback responses (identifiable)As configured by the business customer (default maximum: 2 years)
Anonymised feedback analyticsIndefinitely once no longer personal data
Server access logs90 days
IP addressesAnonymised within 24 hours of collection
Billing and contract records7 years
DSR request records3 years
Security incident logsMinimum 1 year

9. Your Privacy Rights

9.1 GDPR rights

RightMeaning
Right of Access (Art. 15)Request a copy of all personal data we hold about your account
Right to Rectification (Art. 16)Correct inaccurate or incomplete account data
Right to Erasure (Art. 17)Request deletion of your account and associated data
Right to Restriction (Art. 18)Limit how we process your data
Right to Portability (Art. 20)Receive your data in a machine-readable format such as JSON or CSV
Right to Object (Art. 21)Object to processing based on legitimate interests
Withdrawal of Consent (Art. 7)Withdraw consent for marketing communications at any time
Automated Decisions (Art. 22)We do not make solely automated decisions with legal effect

9.2 DPDP rights

  • Right to access information about personal data being processed
  • Right to correction and erasure of inaccurate or outdated personal data
  • Right to grievance redressal within a reasonable timeframe
  • Right to nominate a representative in case of death or incapacity
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the Data Protection Board of India

9.3 How to exercise rights

  • Submit a DSR in the platform or email customerfeedbacksimplified@gmail.com
  • We aim to acknowledge requests within 72 hours
  • Standard fulfilment target is 30 days, with complex cases up to 90 days on notice
  • Feedback respondents should contact the business that collected their feedback

10. Data Security

  • AES-256 encryption for data at rest
  • TLS 1.3 / HTTPS for data in transit
  • bcrypt password hashing
  • Automatic PII redaction before feedback data is stored
  • IP anonymisation within 24 hours
  • Role-based access controls and annual security reviews
  • Backups with tested restoration procedures
While we implement industry-standard security measures, no system can guarantee absolute security. Where a breach poses risk to your rights, we will notify affected parties and relevant authorities within applicable legal timelines.

11. Data Breach Notification

  • Notify affected business customers within 72 hours of becoming aware of a breach
  • Notify competent authorities where required by law
  • Notify affected individuals without undue delay where high risk exists
  • Maintain records of incidents and breaches for at least 1 year

12. Cookies and Tracking Technologies

We use only essential cookies needed for the operation of the platform. We do not use advertising, tracking, or third-party analytics cookies.

Cookie TypePurpose
Session cookiesMaintain your logged-in session
CSRF protection cookiesPrevent cross-site request forgery attacks
Preference cookiesRemember dashboard display settings

13. Children's Data

Our platform is intended for business users aged 18 and over. We do not knowingly collect personal data from children under 18 for our own purposes. Where a business customer collects feedback from children, that customer is responsible for obtaining any required parental or guardian consent.

14. Right to Lodge a Complaint

JurisdictionAuthority
European UnionYour local EU Data Protection Authority (DPA)
United KingdomInformation Commissioner's Office (ICO)
IndiaData Protection Board of India
GermanyBayerisches Landesamt fur Datenschutzaufsicht (BayLDA)

We encourage you to contact us first at customerfeedbacksimplified@gmail.com so we can try to resolve your concern directly.

15. Data Processing Agreement

In accordance with Article 28 GDPR and Section 8 of the DPDP Act, registered business customers are required to enter into a Data Processing Agreement with us. For self-serve accounts, the DPA is incorporated by reference into our Terms of Service. A separate signed DPA is available for enterprise accounts on request.

16. Changes to This Privacy Policy

  • Minor updates will be posted on this page with an updated effective date
  • Material changes will be notified to registered business users by email in advance
  • Continued use of the Service after the effective date constitutes acceptance
  • Previous versions may be available on request

17. Contact Us

Customer Feedback Simplified

Privacy and Data Protection

Email: customerfeedbacksimplified@gmail.com

Website: https://customerfeedbacksimplified.com/

Response time: within 72 hours

This Privacy Policy was last updated on March 27, 2026.

Accepted policy details and evidence are accessible in Dashboard -> Privacy.

← Back to Home