Legal and Compliance

This page is a plain-English summary. The binding documents are the Terms of Service, Privacy Policy, Data Processing Agreement, and Imprint. If anything on this page conflicts with those, the binding documents win.

We deliberately keep this section explicit about what we are and aren't responsible for. That protects you (the customer) by being clear up front, and it protects Pay4Feedback from downstream claims that are outside our scope.

The short version

Pay4Feedback is a B2B SaaS platform. Not a payment institution, not an escrow agent, not a broker.
Payments are processed by Stripe (regulated EU PSP). Reward payouts by Tremendous (regulated US payout platform).
Pay4Feedback orchestrates the flow. We never hold your money or your users' money on our balance sheet.
The platform is GDPR-compliant by default. EU hosting, DPA available, EU–US Data Privacy Framework for US sub-processors.
The service is B2B only (§ 14 BGB). Not offered to consumers.

What you (the Customer) are responsible for

Legality of what you collect. You are the data controller. If you use the service to collect personal data you shouldn't be collecting, that is your exposure, not ours.
User consent. The widget provides a default consent UX; if you disable it or modify it, you assume the compliance risk for that decision.
Legitimate budget source. You warrant that the money you spend on campaigns is legitimate business funds not in violation of AML / sanctions / tax rules.
Content of your surveys. You write the questions. If they breach local law (discrimination, protected-characteristic targeting, unlawful incentives) it is your liability.
Reward claims tax. If a recipient has local tax obligations on the reward, that is between them and their tax authority. We don't issue 1099/tax forms in your name; Tremendous reports under its own name where US law requires.

What Pay4Feedback is responsible for

Uptime of the platform, to the target levels stated in the Terms of Service.
Technical and organisational security measures (Art. 32 GDPR, enumerated in Annex B of the DPA).
Correct orchestration between Stripe and Tremendous. If we mis-route, we correct it from our own funds.
Sub-processor contracts. We keep written Art. 28 GDPR contracts with Stripe, Tremendous, AWS, and any other sub-processor.
Breach notification to you within 48 hours of becoming aware (DPA Section 9).

What Pay4Feedback is not responsible for

Plain list. Read carefully — this limits our liability and, as a consequence, also protects your legitimate expectations by making them explicit:

Tremendous payout failures beyond the standard retry / refund flow described in Payout Rules. If Tremendous goes offline, we route the unspent budget back to you and notify. We are not a backup payment rail.
Stripe chargebacks / bank disputes on your payment to us. We cover the clawback on already-disbursed rewards (DPA permitting), but we reserve the right to immediately suspend your tenant and recover via other means — see Terms of Service.
Recipients' use of their reward. Once Tremendous has disbursed, the reward is out of our hands. If a user gets an Amazon gift card and never uses it, that is not a refund trigger.
Content moderation of submissions you read. Our AI filters for quality, not for accuracy or appropriateness. If you need content moderation, use Manual Review.
Tax advice. Our invoices are correct under German tax law; your local tax treatment of campaign expenses and reward recipients is your accountant's job.
Specific business outcomes. We do not promise a specific number of responses, a specific conversion rate, or a specific quality distribution. Market, product, and survey quality drive those — not us.

Controller: You (the Customer), for end-user data.
Processor: Pay4Feedback.
Sub-processors: AWS EMEA SARL (hosting, Frankfurt), Stripe Payments Europe (payments, Dublin), Tremendous LLC (payouts, NYC, EU–US Data Privacy Framework), Anthropic PBC (AI scoring, Enterprise opt-in, SCCs).
Data Processing Agreement: pre-signed, effective on acceptance of the Terms. Counter-signed PDF available at support@pay4feedback.com.
Retention: 24 months for feedback, 10 years for invoices (§ 147 AO), 90 days for backups. Full schedule in the Privacy Policy.

Non-custodial escrow, explicitly

Pay4Feedback is not a licensed escrow agent under § 34c GewO, not a payment institution under ZAG, not a BaFin-regulated entity. It does not hold Customer or end-user funds on its own balance sheet. Funds transit briefly through our Stripe account and are held in Tremendous's pooled balance only for as long as necessary to fulfil the transaction.

That paragraph is in the Terms of Service and the DPA for a reason — it's a legal firewall. It means:

BaFin does not have jurisdiction over us as a payment institution.
German escrow law does not apply.
AML obligations sit with Stripe and Tremendous (the regulated parties), not with us.
You should not describe the service to your users or auditors as "escrow" in the regulated sense.

Acceptable Use

Summary of what you must not do (full list in the Terms):

Collect special-category personal data (health, politics, etc., Art. 9 GDPR) without a separate legal basis.
Target surveys based on protected characteristics.
Manipulate or attempt to game the quality scoring.
Submit fraudulent budget payments or ones from sanctioned parties.
Resell the platform or sublicense our widget to third parties without written permission.

Violations: suspension of the tenant with 7-day grace for severe issues, immediate suspension for AML / fraud / sanctions concerns.

Liability cap

For ordinary negligence, our aggregate liability is capped at the fees you have paid in the twelve (12) months preceding the event. Unlimited liability applies only where required by law: intentional misconduct, gross negligence, guarantees, personal injury, and Product Liability Act claims.

This is standard B2B SaaS posture and matches what you'd see from Stripe, AWS, Google Cloud. It's documented in the Terms § 11.

Governing law & venue

Law: Federal Republic of Germany, excluding UN CISG.
Venue: Stuttgart, Germany (for merchants / legal entities).

We do not participate in consumer dispute resolution boards — the service is B2B only.

Security & vulnerability disclosure

If you find a security issue, email security@pay4feedback.com before disclosure. We acknowledge within 2 business days. Responsible disclosure earns a public acknowledgement and, for meaningful findings, a thank-you gift.

We do not run a bug bounty with cash payouts today.

Data export & portability

You can export all your data as CSV at any time from the dashboard (Settings → GDPR → Export). On termination, you have 30 days to export before deletion. See Privacy Policy § 11.

Insurance

Pay4Feedback maintains professional indemnity insurance appropriate for a B2B SaaS of our size. Certificate available to Enterprise customers on request (sales@pay4feedback.com).

The short version​

What you (the Customer) are responsible for​

What Pay4Feedback is responsible for​

What Pay4Feedback is not responsible for​

GDPR architecture​

Non-custodial escrow, explicitly​

Acceptable Use​

Liability cap​

Governing law & venue​

Security & vulnerability disclosure​

Data export & portability​

Insurance​

Related​