Privacy Policy

Last updated: January 30, 2026

This Privacy Policy describes how THINK IT FUTURE SRL ("we", "us", "fdback.io"), a company registered in Romania (CUI: 45074342, Registration No: J2021002965089), with its registered office at Str. Lunga 149 Ap. P3, Cod 500051, Brasov, Romania, collects, uses, stores, and protects your personal data when you use fdback.io ("Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), Romanian data protection law, and other applicable regulations.

By using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Data Controller and Processor Roles

Data Controller for account data: fdback.io is the data controller for personal data associated with your user account (name, email, authentication credentials).

  • Data Processor for Workspace content: fdback.io acts as a data processor on behalf of Workspace Owners (the data controllers) for Content submitted within Workspaces (feedback posts, comments, votes, attachments).

If you submit feedback on a public board or through an embedded widget, the Workspace Owner is the data controller for that content. Their own privacy practices may apply in addition to this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address — provided directly or via Google OAuth.

  • Profile picture — provided via Google OAuth or uploaded by you.

  • Authentication data — OAuth tokens from Google, or magic link email verification records via SendGrid.

2.2 Workspace and Membership Data

  • Workspace name, slug, logo, favicon, and settings.

  • Your role and permissions within each Workspace you join.

  • Invitation records (email, role, status, expiration).

2.3 User-Generated Content

  • Feedback posts (title, description, type, tags, attachments).

  • Comments and nested replies, emoji reactions.

  • Votes on feedback posts.

  • Changelog entries (for Workspace administrators).

2.4 File Uploads

  • Images, PDFs, and videos uploaded as feedback attachments, workspace branding, or changelog media.

  • File metadata (name, size, type).

2.5 Anonymous User Data

When Workspace Owners enable anonymous access, we collect:

  • IP address — used to prevent duplicate votes, track unique changelog views and likes, and detect abuse.

  • Feedback content — anonymous posts, comments, and votes are stored without association to a user account.

2.6 Payment Information

  • Subscription plan, billing period, and payment status.

  • Stripe customer ID and subscription ID.

  • We do not store full credit card numbers, bank details, or payment credentials. All payment processing is handled by Stripe, which acts as an independent data controller for payment data under its own privacy policy.

2.7 Usage and Technical Data

  • Browser type, device information, and operating system.

  • Pages visited and interactions within the Service.

  • Referral source.

  • This data is collected via PostHog (optional, client-side analytics) and standard server logs.

2.8 Integration Data

When you connect third-party integrations (Slack, Discord, Linear, Asana), we store:

  • OAuth access and refresh tokens (encrypted) for the connected service.

  • Integration configuration (e.g., selected channels, project mappings).

  • Data received from integrations (e.g., Slack messages forwarded as feedback, App Store or Google Play reviews).

2.9 Communication Data

  • Email notification preferences (global opt-in/out, per-notification-type preferences, digest frequency).

  • Emails sent to you (magic links, invitations, notifications, digests) are processed by SendGrid.

3. How We Use Your Information

We process your personal data for the following purposes:

Performance of contract (GDPR Art. 6(1)(b)):

  • Provide and operate the Service.

  • Authenticate your identity.

  • Process subscription payments.

  • Send transactional emails (magic links, invitations, status updates).

Legitimate interest (GDPR Art. 6(1)(f)):

  • Send notification and digest emails (with opt-out).

  • Prevent abuse and enforce acceptable use (IP tracking, spam detection).

  • AI-powered features such as duplicate detection, spam filtering, and auto-tagging (with opt-out per Workspace).

  • Product analytics and service improvement.

Legal obligation (GDPR Art. 6(1)(c)):

  • Comply with applicable laws, regulations, and legal processes.

You may object to processing based on legitimate interest at any time by contacting us at support@fdback.io.

4. AI Processing and Automated Decisions

When AI features are enabled for a Workspace, the following data may be sent to third-party AI model providers via OpenRouter:

  • Feedback post titles and descriptions — for duplicate detection, spam filtering, and auto-tagging.

We do not send personal account information (names, email addresses, IP addresses) to AI providers. AI features are optional and can be individually disabled by the Workspace Owner at any time.

Automated decisions made by AI (spam flagging, duplicate suggestions, tag assignments) can be reviewed and overridden by Workspace administrators. Under GDPR Article 22, you have the right not to be subject to decisions based solely on automated processing that significantly affect you. If you believe an automated decision has been made in error, contact the Workspace Owner or us at support@fdback.io.

5. Data Sharing and Third-Party Processors

We do not sell your personal data.

We share data with the following categories of third-party service providers (sub-processors) who assist us in operating the Service:

Infrastructure and hosting:

  • Vercel (vercel.com) — Application hosting, edge caching, and custom domain management.

  • Neon (neon.tech) — PostgreSQL database hosting.

Authentication:

  • Google (google.com) — OAuth authentication provider.

  • SendGrid (sendgrid.com) — Magic link email delivery, transactional emails, notifications, and digest emails.

Payments:

  • Stripe (stripe.com) — Payment processing and subscription management. Stripe acts as an independent data controller for payment data.

File storage:

  • UploadThing (uploadthing.com) — File upload and CDN storage for attachments, logos, and media.

AI processing:

  • OpenRouter (openrouter.ai) — Routes requests to third-party language model providers for duplicate detection, spam filtering, and auto-tagging. Only feedback post titles and descriptions are sent; no personal data is included.

Analytics:

  • PostHog (posthog.com) — Optional client-side product analytics. User ID, email, and name may be sent for user identification. PostHog can be self-hosted in the EU.

User-configured integrations (only when you connect them):

  • Slack, Discord, Linear, Asana — Data shared as configured by the Workspace Owner (e.g., feedback notifications, issue sync).

  • Apple App Store (iTunes API), Google Play Store — App reviews imported as feedback items.

We may also disclose data: (a) when required by law, regulation, or legal process; (b) to protect the rights, safety, or property of fdback.io, our users, or others; (c) in connection with a merger, acquisition, or sale of assets, in which case you will be notified.

6. Cookies and Tracking Technologies

6.1 Essential Cookies

These are strictly necessary for the Service to function:

  • Session cookie (authjs.session-token or __Secure-authjs.session-token) — Maintains your authenticated session. HttpOnly, SameSite: Lax.

  • CSRF token (authjs.csrf-token or __Host-authjs.csrf-token) — Prevents cross-site request forgery. HttpOnly, SameSite: Lax.

  • Callback URL cookie (authjs.callback-url or __Secure-authjs.callback-url) — Tracks post-login redirect. SameSite: Lax.

6.2 Analytics

If PostHog analytics is enabled, it may use cookies or local storage to track anonymous usage patterns. PostHog is optional and can be configured or disabled.

6.3 Widget Sessions

The embedded Widget uses a session token (x-widget-session-token) passed via HTTP header rather than cookies, as third-party cookies are restricted in iframe contexts.

6.4 Managing Cookies

Essential cookies cannot be disabled without breaking the Service. You can control analytics cookies through your browser settings. Most browsers allow you to block or delete cookies.

7. Data Retention

Account data is retained for the duration of your account and deleted upon account deletion.

  • Workspace data (posts, comments, votes, changelogs, activity logs) is retained until the Workspace is deleted by its Owner.

  • Anonymous data (IP-based votes, views, likes) is retained for the lifetime of the associated Workspace.

  • Integration tokens are deleted when the integration is disconnected or the Workspace is deleted.

  • Payment records are retained as required by applicable tax and accounting laws.

  • Server logs are retained for a limited period for security and debugging purposes.

  • Anonymized or aggregated data may be retained indefinitely for analytical purposes.

Upon account deletion, your personal data is removed. Content you previously submitted to Workspaces (posts, comments) may be retained within the Workspace but will no longer be associated with an identifiable account.

8. Your Rights Under GDPR

Under the General Data Protection Regulation and applicable data protection laws, you have the following rights:

  • Right of access — Request a copy of the personal data we hold about you.

  • Right to rectification — Request correction of inaccurate or incomplete data.

  • Right to erasure — Request deletion of your personal data (see Section 9 for the account deletion process).

  • Right to restriction — Request that we restrict processing of your data in certain circumstances.

  • Right to data portability — Receive your data in a structured, machine-readable format. Workspace Owners can export Workspace data in JSON or CSV format.

  • Right to object — Object to processing based on legitimate interest, including direct marketing.

  • Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

  • Right regarding automated decisions — You have the right not to be subject to decisions based solely on automated processing (see Section 4).

To exercise any of these rights, contact us at support@fdback.io. We will respond within 30 days as required by GDPR.

You also have the right to lodge a complaint with a supervisory authority. In Romania, the supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro.

9. Account and Data Deletion

You may delete your account from the account settings page. To do so:

  • You must first leave all Workspaces. If you are a Workspace Owner, you must transfer ownership or delete the Workspace before deleting your account.

  • Account deletion requires explicit confirmation.

  • Deletion is permanent and removes your account, sessions, and authentication records.

Workspace Owners may delete their Workspace at any time, which permanently removes all associated data (posts, comments, votes, members, changelogs, integrations, and activity logs).

To request deletion of anonymous data associated with your IP address, contact us at support@fdback.io.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encrypted connections (HTTPS/TLS) for all data in transit.

  • Secure session management with HttpOnly and SameSite cookies.

  • HMAC-SHA256 signing for webhook payloads.

  • Encrypted storage of third-party OAuth tokens.

  • Role-based access control with granular permissions.

  • CSRF token protection for form submissions.

No method of electronic transmission or storage is completely secure. While we take reasonable precautions, we cannot guarantee absolute security. If we become aware of a security breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR.

11. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA) where our sub-processors operate (including the United States). Such transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.

  • Adequacy decisions where applicable.

  • Other appropriate safeguards as required by GDPR.

12. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, contact us at support@fdback.io and we will delete it promptly.

13. Widget and Embedded Content

The fdback.io Widget can be embedded on third-party websites to collect feedback. When you interact with the Widget:

  • Your interactions (feedback submissions, votes, comments) are processed by fdback.io under these terms.

  • If anonymous features are enabled, your IP address may be collected.

  • The Widget operates within the context of the host website. We are not responsible for the privacy practices of third-party websites that embed the Widget.

  • Website owners who embed the Widget should disclose its use in their own privacy policy.

  1. Email communication

We send the following types of emails via SendGrid:

  • Transactional emails — Magic link authentication, workspace invitations, account-related notices. These are necessary for the operation of the Service and cannot be opted out of while your account is active.

  • Notification emails — New feedback, comments on followed posts, vote notifications, post status updates. You can configure these per notification type in your account settings.

  • Digest emails — Periodic summaries of Workspace activity (daily or weekly). Configurable per Workspace in your notification preferences.

  • Marketing and product emails — Product updates, new features, offers, and other promotional communications. These are sent only with your consent and you can unsubscribe at any time via the link included in each email.

You can disable all non-essential email notifications through your account settings. You may also unsubscribe from specific notification types individually.

  1. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users or through a notice within the Service at least 30 days before they take effect.

Continued use of the Service after changes take effect constitutes acknowledgment of the updated policy.

  1. Conact Information

For questions about this Privacy Policy, to exercise your data rights, or to report a data protection concern:

THINK IT FUTURE SRL

Email: support@fdback.io

Website: https://fdback.io