Votiq
Sign inGet started free

Privacy Policy

Effective date: April 11, 2026

This Privacy Policy explains how Votiq (“we”, “us”, or “our”) collects, uses, discloses, and protects personal information when you use Votiq.io and related services (collectively, the “Service”). We are committed to handling your data responsibly and in compliance with applicable privacy laws, including the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Information We Collect

We collect the following categories of personal information:

Account & Profile Data — When you register, we collect your name, email address, password (hashed), organisation name, billing address, and VAT/tax identification number where applicable.

Feedback & Engagement Data — Feature requests, post titles and descriptions, comments, vote records, reaction data, and changelog subscriptions submitted by Vendors and end Users.

Crowdfunding & Pledge Data — Pledge amounts, campaign selections, pledge status (pending, captured, refunded), and delivery window acknowledgements. Payment instrument details are held by Stripe, not Votiq.

Usage & Technical Data — IP addresses, browser type and version, operating system, referring URLs, pages visited, time spent, feature interactions, and API request logs. This data is collected via server logs and first-party analytics.

Communication Data — Emails you send to us, support tickets, and your communication preferences.

Third-Party Sign-In Data — If you register using a third-party provider (e.g., Google OAuth), we receive your name and email address from that provider.

2. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service.
  • Authenticate users, manage sessions, and enforce security controls.
  • Process subscription payments and crowdfunding transactions via Stripe.
  • Send transactional emails (account confirmation, password reset, pledge receipts, campaign status updates, and digest notifications).
  • Run AI-powered features: duplicate post detection, sentiment analysis on feedback, and semantic search using vector embeddings.
  • Generate aggregate analytics and product usage insights for Vendors.
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations and enforce our Terms of Service.
  • Improve and develop new features (using aggregated, anonymised data).

3. Legal Basis for Processing (GDPR)

For individuals in the EU/EEA and UK, we process personal data under the following legal bases:

  • Contract performance — Processing necessary to provide the Service you have signed up for (account management, billing, core features).
  • Legitimate interests — Security monitoring, fraud prevention, product analytics, and improving the Service, where our interests are not overridden by your rights.
  • Legal obligation — Retaining financial records, responding to lawful requests from authorities.
  • Consent — Marketing communications, optional analytics features. You may withdraw consent at any time.

4. Data Storage & Security

All data is stored in Supabase, which runs on Amazon Web Services (AWS) infrastructure in the EU (eu-west-1 by default). Data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Database access is protected by Row-Level Security (RLS) policies scoped to each organisation.

We implement the following security measures: bcrypt-hashed passwords, SHA-256 hashed API keys, short-lived JWT session tokens, regular security reviews, and principle-of-least-privilege access controls for our team. We perform regular automated backups.

No method of electronic transmission or storage is 100% secure. If we become aware of a data breach that affects your rights, we will notify you and relevant supervisory authorities as required by law.

5. Payment Data

Payment processing is handled by Stripe, Inc., a PCI DSS Level 1 certified payment processor. Votiq does not store, transmit, or have access to full credit card numbers, CVV codes, or raw bank account details. Stripe stores payment method tokens and manages all card data.

For crowdfunding, Vendors connect their Stripe accounts via Stripe Connect. Stripe acts as an independent data controller for payment data processed in connection with payouts. Please refer to Stripe’s Privacy Policy for details.

6. AI Processing

Votiq uses AI services to enhance the quality of feedback management:

  • Anthropic Claude (Sentiment Analysis) — Post titles and descriptions are sent to Anthropic’s API to classify sentiment (positive, neutral, negative) and identify tone. Only post text content is transmitted; no personally identifiable account information is included in these requests. Data is processed in accordance with Anthropic’s Privacy Policy.
  • VoyageAI (Semantic Embeddings) — Post text is converted into vector embeddings by VoyageAI to enable semantic similarity search and duplicate detection. Only post text is transmitted. Embeddings are stored in Supabase and used solely within your organisation’s scope. Data is processed in accordance with VoyageAI’s privacy policy.

AI processing is enabled by default for Vendors on paid plans but can be disabled in workspace settings. We do not use your data to train third-party AI models; data sent to these APIs is used solely for inference on your content.

7. Third-Party Services

We share data with the following third parties only to the extent necessary to provide the Service:

  • Stripe — Payment processing and Stripe Connect payouts.
  • Supabase — Database, authentication, realtime, and file storage (hosted on AWS).
  • Vercel — Application hosting and edge network (CDN). Vercel processes request logs which may include IP addresses.
  • Resend — Transactional email delivery (account emails, pledge receipts, digests).
  • Anthropic — AI sentiment analysis (post text only).
  • VoyageAI — Semantic vector embeddings (post text only).
  • Inngest — Background job orchestration for asynchronous processing (e.g., payment captures, email triggers). Job payloads may contain references to user IDs and post IDs.

We do not sell your personal data to third parties. We do not share your data with advertisers. Data sharing with sub-processors is governed by Data Processing Agreements where required by GDPR.

8. Cookies & Local Storage

Votiq uses essential cookies only. We do not use third-party advertising or tracking cookies.

  • Session cookies — Set by Supabase Auth to maintain your authenticated session. These are deleted when you close your browser or sign out.
  • Preference cookies — Store UI preferences such as theme (dark/light mode) and language selection.
  • CSRF tokens — Short-lived tokens used to protect form submissions.

We use browser local storage to cache non-sensitive UI state (e.g., open filter selections). No personal data is stored in local storage. You can clear local storage at any time through your browser settings.

Because we use essential cookies only, we do not display a cookie consent banner. If you disable cookies, authentication features will not function.

9. Data Retention

We retain personal data for the following periods:

  • Account data — Retained for the duration of your subscription plus 30 days after account deletion, to allow data export. After 30 days, account data is permanently deleted.
  • Feedback & post data — Retained while the organisation account is active. Deleted within 30 days of account deletion.
  • Financial records — Billing history and transaction records are retained for 7 years to comply with accounting and tax legal obligations.
  • Server logs — Request logs are retained for 90 days for security and debugging.
  • AI embeddings — Deleted within 30 days of account deletion.

10. Your Rights (GDPR & Privacy Rights)

Depending on your location, you may have the following rights regarding your personal data:

  • Right of access — Request a copy of the personal data we hold about you.
  • Right to rectification — Request correction of inaccurate or incomplete data.
  • Right to erasure (“right to be forgotten”) — Request deletion of your personal data, subject to legal retention obligations.
  • Right to data portability — Receive your data in a machine-readable format (JSON/CSV).
  • Right to restriction — Request that we restrict processing of your data in certain circumstances.
  • Right to object — Object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent — Where processing is based on consent, withdraw it at any time.

We will respond to verified requests within 30 days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before fulfilling a request.

11. GDPR Data Export & Account Deletion

Votiq provides self-service tools for exercising your data rights:

  • Data export — Available in your workspace settings under “Data & Privacy”. You can download a full JSON export of your organisation’s posts, votes, comments, changelogs, and member data.
  • Account deletion — Available in workspace settings. Deleting your account initiates a 30-day grace period during which data is retained and exportable. After 30 days, all personal data is permanently and irreversibly deleted, except for financial records retained per legal obligation.

To submit a manual data request or if you require assistance, contact privacy@votiq.io.

12. International Data Transfers

Votiq primarily stores and processes data in the EU (AWS eu-west-1). However, some of our sub-processors operate in the United States (Stripe, Anthropic, VoyageAI, Inngest, Vercel, Resend). Where personal data is transferred outside the EU/EEA, we ensure adequate safeguards are in place, including:

  • EU Standard Contractual Clauses (SCCs) incorporated into Data Processing Agreements.
  • Adequacy decisions by the European Commission where applicable.

You may request information about the specific safeguards in place for international transfers by contacting privacy@votiq.io.

13. Children’s Privacy

The Service is not directed at or intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we discover that a child under 16 has provided us with personal data, we will take steps to delete it promptly. If you believe a child has provided us with their data, please contact privacy@votiq.io.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If changes are material, we will notify you by email or prominent notice on the Service at least 14 days before the changes take effect. We encourage you to review this policy periodically. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

15. Data Protection Officer

We have designated a Data Protection Officer (DPO) responsible for overseeing our data protection practices. If you have questions or concerns about how we handle your personal data, you may contact our DPO at:

Data Protection Officer, Votiq
privacy@votiq.io

You also have the right to lodge a complaint with your local data protection supervisory authority. In the EU, you can find your national authority at edpb.europa.eu.

16. Contact

For all privacy-related inquiries, data subject requests, or questions about this policy, please contact:

Votiq Privacy Team
privacy@votiq.io

Privacy Policy — Votiq