GDPR

For account holders, website visitors, and prospects who interact directly with Votiq, Votiq is the data controller.

For end users who submit feedback through a customer's Votiq widget or public portal, the customer is typically the data controller and Votiq acts as a processor handling data on the customer's documented instructions.

• Identity and contact data (name, email, organisation).
• Account and authentication data.
• Billing and transaction records.
• Technical and usage data (IP address, device/browser information, logs).
• Support correspondence.
• Feedback content and interaction data submitted via customer workspaces.

We process personal data for the purposes described in our Privacy Policy. Typical lawful bases include performance of a contract, legitimate interests (such as securing and improving the Service), compliance with legal obligations, and consent where required.

Subject to applicable law and exceptions, you have the right to:

• Request access to your personal data.
• Request correction of inaccurate data.
• Request erasure in certain circumstances.
• Request restriction of processing.
• Object to processing based on legitimate interests or for direct marketing.
• Request data portability where processing is based on contract or consent and carried out by automated means.
• Withdraw consent at any time where processing relies on consent, without affecting prior lawful processing.

Email [email protected] with your request. We respond within one month in most cases, which may be extended by two further months for complex requests as permitted by law.

We may ask for information to verify your identity. If we process your data as a processor on behalf of a Votiq customer, we may direct you to contact that customer as controller.

We use vetted subprocessors for infrastructure, payments, email delivery, analytics, and related services. Subprocessors are bound by contractual obligations consistent with Article 28 GDPR where applicable.

A current list of subprocessors is available on request to [email protected].

Where personal data is transferred outside the UK or EEA, we implement appropriate safeguards such as adequacy decisions, UK IDTAs, EU Standard Contractual Clauses, or other lawful transfer mechanisms.

We retain personal data only for as long as necessary for the purposes collected, including contractual, legal, accounting, and reporting requirements. Retention criteria include the nature of data, purpose of processing, and applicable statutory periods.

We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.

You have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO): ico.org.uk

GDPR and privacy enquiries: [email protected]