This Privacy Policy describes how Pay4Feedback (“we”, “us”) collects, uses, and protects personal data when you use pay4feedback.com, the dashboard application at app.pay4feedback.com, and the embeddable feedback widget (collectively the “Service”). We comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).
1. Data Controller
Dmytro Rybka Im Hoffeld 31/1, 74427 Fichtenberg, GermanyEmail: privacy@pay4feedback.com
Phone: +49 172 6600815
2. Categories of Data We Process
Pay4Feedback distinguishes between tenants (our business customers) and end-users (widget respondents who may receive rewards).
- Tenant account data — name, email, company, authentication credentials
- Tenant billing data — Stripe Customer ID, subscription history
- Campaign and survey content created by tenants
- End-user survey responses and quality scores
- End-user reward-claim data — email, first name, payout method
- Anonymised widget session analytics — device type, referrer, time on page
3. Legal Bases (Art. 6 GDPR)
We rely on Art. 6(1)(b) GDPR for contract performance (tenant accounts, reward payouts), Art. 6(1)(a) GDPR for consent (widget respondents, optional cookies), Art. 6(1)(f) GDPR for legitimate interest (fraud detection, IT security), and Art. 6(1)(c) GDPR for legal obligations (tax record retention per § 147 AO).
4. Third-Party Data Sharing with Tremendous
End-user rewards are disbursed via Tremendous, LLC (71 5th Avenue, 4th Floor, New York, NY 10003, USA). When an end-user claims a reward we transmit the following to Tremendous to fulfil the payout:
- Recipient email address
- First name (optional)
- Reward amount and currency
- Campaign reference (internal identifier only)
Pay4Feedback is a non-custodial orchestrator. Funds transit briefly through Stripe and are held in Tremendous’s pooled balance for disbursement — we never hold recipient funds on our own balance sheet.
Third-country transfer: Tremendous is certified under the EU–US Data Privacy Framework (Art. 45 GDPR adequacy decision of 10 July 2023), providing an adequate level of protection. Tremendous privacy notice.
5. Payment Processing — Stripe
All subscription and campaign-budget payments are processed by Stripe Payments Europe, Ltd. (Dublin, Ireland) in a PCI-DSS-compliant iframe. Pay4Feedback never sees or stores full card numbers — only the Stripe Customer ID, Subscription ID, and last four digits of the card (for reconciliation). Stripe privacy notice.
6. Cookies
We use only strictly necessary cookies: a session cookie for authentication, a CSRF cookie, and a widget-consent cookie (180 days) that remembers an end-user’s consent choice. We do not use Google Analytics, Meta Pixel, or any advertising cookies. Because only strictly necessary cookies are used, no cookie consent banner is required under § 25 Abs. 2 TDDDG.
7. Hosting & Infrastructure
Production infrastructure runs on Amazon Web Services EMEA SARL in the eu-central-1 region (Frankfurt, Germany). Data at rest is encrypted with AES-256. Data in transit is encrypted with TLS 1.2+.
8. Your Rights Under GDPR
You have the right to:
- Access your data (Art. 15)
- Correct inaccuracies (Art. 16)
- Request deletion (Art. 17)
- Restrict processing (Art. 18)
- Receive your data in portable format (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority
Exercise any right by emailing privacy@pay4feedback.com. We respond within one month (Art. 12(3) GDPR).
9. Data Processing Agreement (DPA)
Where you upload end-user data to your tenant, you are the controller and we act as processor. See our full Data Processing Agreement (Art. 28 GDPR) or request a counter-signed copy at support@pay4feedback.com.
10. Changes
Material changes are announced by email to registered tenants at least 30 days before taking effect.