HeySurvey Privacy Policy & Data Processing Addendum ("DPA")

Last updated: August 2025

1. Introduction

HeySurvey ("we", "us", "our") respects your privacy and is committed to protecting personal data. This Privacy Policy explains how we collect, use, and safeguard information when you visit heysurvey.io, create surveys, or respond to them. It also contains the Data Processing Addendum (DPA) that applies when we act as a data processor for survey creators.

2. Information We Collect

  • Account information. When you register we collect your name, email address, and a hashed password.
  • Survey content. The questions, text, images, and files you add to your surveys.
  • Survey responses. Answers and any files uploaded by respondents.
  • Usage logs. IP address, browser/user‑agent, and timestamps generated automatically when you interact with the Service.
  • Session cookie. A single, first‑party cookie (heysurvey_session) is set only after you sign in. It keeps you logged in and expires when you log out or after 24 hours of inactivity.

We do not intentionally collect special‑category data unless you include it in a survey question.

3. Why We Use Information

We process personal data to:

  1. provide and maintain the Service;
  2. send essential transactional emails (e.g., password resets);
  3. secure the Service and detect abuse;
  4. comply with applicable laws.

Our legal bases are performance of a contract and legitimate interests.

4. Cookies

Because we use only one essential session cookie and no tracking or advertising cookies, a consent banner is not required under the EU ePrivacy Directive or GDPR. Blocking this cookie will prevent you from signing in.

5. Data Retention

  • Account information is retained while your account is active and for 30 days after you close it.
  • Survey content & responses stay until you delete them or, for free accounts, 90 days after your last activity (see Terms of Use §5).
  • Back‑ups may persist for up to 30 days before automatic deletion.

6. Your Rights

You may access, export, correct, or delete your personal data.

  • Download: Export your surveys and responses anytime from Settings › Export Data.
  • Delete: Email [email protected] and we will permanently erase your account and associated data within 30 days unless legal obligations require retention.

7. Children

The Service is not directed to children under 13 and we do not knowingly collect data from them.

8. Changes to This Policy

Material changes will be announced by email or in‑app notice at least 30 days before they take effect. The "Last updated" date will always show the current version.

9. Contact

Questions or requests? Email [email protected].

Data Processing Addendum (DPA)

The clauses below apply whenever you, as the survey creator, act as a data controller and HeySurvey acts as your data processor under the GDPR.

DPA 1. Roles & Scope

  • Controller: You, the survey creator.
  • Processor: HeySurvey.
  • Subject matter & duration: Hosting and processing survey data for the lifetime of your account plus retention periods in §5.

DPA 2. Processor Obligations

  1. Instructions. We process personal data only on your documented instructions (these terms, dashboard settings, or written requests).
  2. Confidentiality. All personnel are bound by confidentiality obligations.
  3. Security. We apply appropriate technical and organisational measures to protect personal data.
  4. Breach notification. We will notify you without undue delay and, where feasible, within 72 hours after becoming aware of a personal‑data breach.
  5. Assistance. We help you respond to data‑subject requests and meet GDPR obligations.
  6. Deletion/return. Upon termination we will delete or, at your choice, return personal data.

DPA 3. Sub‑Processors

We currently use the following trusted service providers ("sub‑processors") to help us operate the Service. Each sub‑processor is bound by privacy and security commitments equivalent to this DPA.

  • DigitalOcean and Amazon Web Services, Inc. (USA/EU) – cloud hosting and storage
  • Cloudflare, Inc. (USA/EU) – content‑delivery network and DDoS protection
  • Stripe, Inc. (USA/EU) – payment processing
  • Postmark / Wildbit LLC (USA) – transactional email delivery
  • Plausible Insights OÜ (EU) – privacy‑friendly analytics

We will notify you at least 30 days before we add or replace a sub‑processor, and you may object by emailing [email protected].

DPA 4. International Transfers

If personal data is transferred outside your jurisdiction we will ensure an appropriate transfer mechanism, such as the EU Standard Contractual Clauses, is in place.

DPA 5. Audit

On reasonable written request, we will provide information necessary to demonstrate our compliance with this DPA.

Capitalised terms not defined here have the meanings given in the HeySurvey Terms of Use.

Saved
FAIL