Privacy Policy

1. Scope and Roles

The Service has two principal categories of users:

• Customers: businesses and individuals that create Gistback accounts to deploy feedback forms and receive reports.
• Submitters: end users who submit feedback through a Customer's Gistback form.

For Customer accounts, billing, our marketing site, security, analytics, and product development, Gistback acts as the controller (or business, as applicable) of personal data.

For feedback Submissions and any optional contact data Submitters provide through a Customer's form, Gistback acts as a processor(or service provider) on behalf of the Customer. The Customer is the controller of those Submissions and is solely responsible for providing required notices, obtaining required consents, lawfully collecting data, and honoring Submitters' rights requests under applicable law. Submitters should direct privacy questions about a particular form to the Customer that operates it.

2. Information We Collect

2.1 Information from Customers.

• Account information, including name, email, organization name, role, password hashes or authentication identifiers from our authentication provider, and account preferences.
• Billing information, including plan, subscription status, billing address, tax identifiers, transaction amounts, metering counts, partial payment-instrument identifiers, and invoices. Full payment-card data is collected and stored by our payment processor; we do not store full card numbers.
• Configuration and content, including site names, slugs, branding, prompts, short links, report preferences, and any content you upload or paste into the Service.
• Communications, including support requests, feedback, and survey responses.
• Usage, device, and technical data, including IP address, approximate location derived from IP, browser type and version, operating system, device identifiers, language, referring and exit pages, pages and features accessed, time stamps, click data, error logs, and similar telemetry.

2.2 Information from Submitters.

• Feedback content the Submitter chooses to provide.
• Optional contact information(such as name and email) when the Customer's form is configured to allow it and the Submitter chooses to provide it.
• Submission metadata, including a hashed anti-duplicate token, time-on-page, the short code that produced the visit, IP-derived signals used for spam screening and abuse prevention, and basic device/user-agent strings.

2.3 Information from Other Sources.

• Service providers (authentication, payments, email, analytics, security, AI inference, short links).
• Public sources for fraud and abuse prevention (such as IP-reputation lists).
• Marketing and event partners that may share lead information with us.

2.4 Cookies and Similar Technologies.

We use a small number of cookies and similar technologies for essential functions (authentication, session continuity, security, load balancing, anti-fraud, CSRF protection), and for privacy-preserving analytics. We do not use cookies or pixels to deliver third-party behavioral advertising. Most browsers let you refuse or delete cookies; refusing essential cookies may impair the Service.

3. How We Use Information

We use information to:

• provide, operate, secure, maintain, and improve the Service;
• screen Submissions for spam, fraud, abuse, fakes, harmful content, personally identifiable information, coherence, and actionability;
• generate Output, including reports, summaries, classifications, and recommended actions, including by sending data to AI providers under appropriate contractual protections;
• authenticate users, prevent unauthorized access, and enforce our policies and Terms;
• bill Customers, meter usage, send invoices, and collect amounts owed;
• communicate with Customers about transactional matters, security, policy changes, and product updates;
• send marketing communications consistent with applicable law and user preferences;
• personalize and improve the Service, including analyzing usage patterns and conducting research and development;
• comply with legal obligations and respond to lawful requests from governmental authorities;
• establish, exercise, or defend legal claims; and
• create, derive, and use aggregated, anonymized, statistical, or de-identified data for any lawful business purpose, including operating, improving, marketing, training, and tuning our products, services, and models. We commit to maintain and use such data only in de-identified form and not to attempt to re-identify it, except as required to verify our de-identification processes.

3.1 Legal Bases (EEA/UK).

Where the GDPR or UK GDPR applies and Gistback is the controller, we process personal data on the following legal bases: (a) performance of a contract; (b) compliance with legal obligations; (c) our legitimate interests (such as operating, securing, and improving the Service, preventing fraud and abuse, marketing our services, and exercising legal claims), balanced against your rights and interests; and (d) consent, where required.

4. AI Processing

The Service uses third-party large language models to screen Submissions and generate Output. We send only the data reasonably necessary to perform these tasks. We contract with our AI providers for zero-retention or short-retention processing where commercially available, and we do not authorize them to use Customer Content or Submissions to train their general-purpose foundation models. AI Output may be inaccurate, incomplete, biased, or otherwise unreliable; Customers must independently evaluate Output before relying on it.

Gistback may use Customer Content, Submissions, and Output to train, fine-tune, and evaluate Gistback's own internal models that power features of the Service, provided that any such use is limited to internal operation and improvement of the Service and that any publicly released model derived from such training is trained only on data in aggregated, anonymized, statistical, or de-identified form.

5. How We Share Information

We share information only as described below.

• With the Customer whose form a Submitter used, including the Submission and any optional contact data the Submitter provided.
• With service providers and subprocessors that help us run the Service (including hosting, authentication, payments, email delivery, analytics, error monitoring, customer support, AI inference, and short links). They are contractually bound to use information only on our behalf and consistent with this Policy.
• With professional advisors such as lawyers, auditors, accountants, and insurers.
• For legal, safety, and enforcement reasons, including to (a) comply with applicable law, regulation, legal process, or governmental request; (b) enforce our Terms and policies; (c) detect, prevent, or address fraud, security, or technical issues; and (d) protect the rights, property, or safety of Gistback, our users, or others.
• In a business transaction such as a financing, merger, acquisition, reorganization, or sale of all or a portion of our assets, in which case information may be transferred, subject to standard confidentiality protections.
• With your consent or at your direction.
• In aggregated or de-identified form, which is not personal information.

We do not sell personal information for monetary consideration, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under U.S. state privacy laws.

6. Data Retention

We retain personal data only for as long as reasonably necessary to fulfill the purposes for which it was collected, including to provide the Service, comply with our legal, tax, accounting, and audit obligations, resolve disputes, and enforce our agreements. Specifically:

• Account and billing records are retained for the life of the account and for a reasonable period thereafter as required for legal and audit purposes.
• Submissionsare retained for as long as the Customer's account is active or until the Customer deletes them. After account closure, Submissions are deleted or de-identified within a commercially reasonable period.
• Server logs and security records are retained for a limited period sufficient to investigate abuse and meet our obligations.
• Backup copies may persist for a limited period after deletion in accordance with our backup-rotation schedules.

7. Security

We implement administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, scoped access controls, audit logging, and routine security reviews. No system is perfectly secure, and we cannot guarantee the absolute security of any information you provide. You are responsible for safeguarding your account credentials and API keys, and for promptly notifying us at security@gistback.com of any suspected unauthorized access.

8. International Data Transfers

Gistback is operated from the United States and may transfer, process, and store information in the United States and other countries where our service providers operate. These countries may have data-protection laws that differ from those in your country. Where required, we rely on appropriate transfer mechanisms (such as the EU Standard Contractual Clauses and the UK Addendum) to lawfully transfer personal data internationally. By using the Service, you acknowledge that your information may be transferred to and processed in jurisdictions outside your home country.

9. Your Rights and Choices

Depending on where you live, you may have rights with respect to personal data we process about you, including the rights to: access, correct, delete, port, restrict, or object to processing; withdraw consent (where processing is based on consent); opt out of certain disclosures; and lodge a complaint with a supervisory authority. We will respond to verifiable requests in accordance with applicable law. We may decline requests to the extent permitted by law (for example, where retention is required for legal or security reasons, or where granting the request would adversely affect the rights and freedoms of others).

Customers can manage account data and Submissions directly through the Service. To exercise other rights, contact us at privacy@gistback.com.

Submitters: if you submitted feedback through a Gistback form and wish to access, correct, delete, or restrict processing of that Submission, please contact the Customer that operates the form. As a processor, Gistback will support that Customer in honoring your request as required by law and our contract with that Customer.

9.1 U.S. State Privacy Rights.

Residents of California, Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws may have additional rights, including the right to know, the right to delete, the right to correct, the right to portability, the right to opt out of sales, sharing for cross-context behavioral advertising, and certain profiling, and the right not to be discriminated against for exercising privacy rights. As stated above, we do not sell personal information or share it for cross-context behavioral advertising.

9.2 Marketing Choices.

You may opt out of marketing emails by following the unsubscribe link in any marketing email. We may still send transactional or relationship messages necessary to provide the Service.

9.3 Do Not Track.

Our Service does not currently respond to “Do Not Track” signals; however, we limit our cookie use to essential and privacy-preserving analytics as described above.

10. Children's Privacy

The Service is intended for businesses and is not directed to children under 16, and we do not knowingly collect personal data from children under 16. Customers must not configure or use the Service to collect personal data from children. If you believe a child has provided personal data to us, contact us and we will take appropriate steps to delete it.

11. Third-Party Sites and Services

The Service may contain links to, or interoperate with, third-party websites and services. We are not responsible for the privacy practices or content of those third parties. We encourage you to review their privacy notices.

12. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will use commercially reasonable efforts to notify you (for example, by updating the “Last updated” date and, where appropriate, providing additional notice through the Service or by email). Your continued use of the Service after the effective date constitutes acceptance of the updated Policy. If you do not agree, your sole remedy is to stop using the Service.

13. Disclaimers

To the maximum extent permitted by law, Gistback disclaims all warranties regarding the security, integrity, completeness, and accuracy of personal data and the Service. The disclaimers and limitations of liability set forth in our Terms of Service apply to claims relating to this Policy.

14. Contact

For questions, requests, or complaints about this Policy or our privacy practices, contact us at privacy@gistback.com. For security issues, contact security@gistback.com.