Privacy Policy
Last updated: April 2026
1. Data Controller
The data controller for suPlay Poll is suPlay B.V., Ruwerstraat 9, 7545 SM Enschede, The Netherlands. You can reach us at info@suplay.nl.
2. What Data We Collect
When you use suPlay Poll, we may collect the following data:
- Votes and responses: Your answers to polls. In anonymous mode, votes are not linked to your identity. In authenticated mode, your name and/or email address may be linked to your participation, but individual votes remain anonymous by default.
- Optional participant info: If provided, your name and/or email address when joining an event.
- Session tokens: Technical identifiers to maintain your session.
- Presenter accounts: Name, email address, and hashed password for event presenters.
3. How Data Is Stored
All data is stored in a PostgreSQL database hosted by TransIP / team.blue on servers located in the Netherlands. Data is transmitted over encrypted connections (HTTPS/TLS).
4. Cookies
We use only essential cookies:
- Session token (essential, httpOnly) — maintains your participant session.
- Authentication JWT (essential, httpOnly) — keeps presenters logged in.
We do not use any tracking, analytics, or advertising cookies.
5. Who Has Access
- Event presenters can view aggregate poll results for their events. In authenticated mode, they can see which participants joined but cannot link individual votes to participants in anonymous mode.
- System administrators at suPlay B.V. have access to the database for operational purposes. Any administrative impersonation of a presenter account is logged and retained for 90 days.
- Subprocessors named on our Subprocessors page process data on our behalf under signed Data Processing Agreements.
6. Lawful basis (GDPR Art. 6)
| Purpose | Data | Lawful basis |
|---|---|---|
| Operate a presenter account | Name, email, hashed password | Contract (Art. 6(1)(b)) |
| Run a poll / collect votes | Votes, optional participant name/email, session token | Legitimate interests (Art. 6(1)(f)) or consent when identifying data is voluntarily provided |
| Send transactional email (verification, reset, invitation) | Email, name | Contract + legitimate interests |
| Billing and subscription management | PayPal payer identifiers, plan, billing events | Contract + legal obligation (tax retention) |
| Security, fraud prevention, rate limiting | IP address — processed transiently as a Redis counter key (typically for seconds up to one hour), not written to the application database or server logs | Legitimate interests |
| Error monitoring and service stability | Stack traces with personally-identifying fields scrubbed | Legitimate interests |
7. Retention
| Data category | Retention | Reason |
|---|---|---|
| Presenter account | Until deletion request, plus 30 days grace | Allow account recovery |
| Events, polls, votes | Retained until the presenter deletes the event. CLOSED events that have been idle for 90 days are automatically archived. Archived events follow tier-based retention: 1 year on the Free plan, 5 years on Academic, Professional, and Enterprise. The presenter is emailed before deletion (1 month ahead on Free, 6 months ahead on paid plans); opening or editing the event resets the clock. | Typical reuse window; data minimisation thereafter |
| Participant responses & names | Same retention as the parent event (cascaded on deletion). | Minimisation |
| Unverified user accounts | Purged 30 days after signup if email is never verified | No legitimate purpose once unverified |
| Pending event invitations | Purged 90 days after sending if never redeemed | Minimisation; recipient can be re-invited |
| GDPR erasure requests | Auto-fulfilled 7 days after submission (per Art. 12(3)) | Statutory deadline with a short verification window |
| Email-verification and password-reset tokens | Deleted on use or after 24-hour expiry | No purpose once consumed |
| Billing events, invoices | 7 years | Dutch tax law |
| Admin impersonation log | 90 days | Forensics + access-review |
| Sentry error events | Sentry default (30–90 days) | Operated by subprocessor; see their retention schedule |
| Database backups | 30 rolling daily, 12 rolling monthly; then overwritten | Recovery window + long-tail integrity |
8. International transfers
suPlay B.V. is established in the Netherlands and operates the application from servers in the Netherlands. All processing subprocessors used today are located in the EU: transactional email (Resend, EU), application error monitoring (Sentry, EU region —ingest.de.sentry.io), encrypted backup storage (Scaleway, NL/FR). Subscription billing is handled by PayPal (Europe) S.à r.l. et Cie, S.C.A. in Luxembourg; onward transfers to the US parent for fraud-prevention purposes are governed by Standard Contractual Clauses (SCCs) 2021/914. See our Subprocessors page for the complete list and legal basis of each transfer.
9. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the right to:
- Access your personal data (Art. 15). Presenters can self-export via
/settings→ “Download my data”. - Rectify inaccurate data (Art. 16). Presenters can edit name/email in
/settings. - Deleteyour data (Art. 17, “right to be forgotten”). Presenters can self-delete their account via
/settings. Participants can ask the presenter or email privacy@suplay.nl. - Port your data to another service (Art. 20). Machine-readable JSON via the account-export endpoint (CSV export of votes and participants is available per-event from the presenter dashboard).
- Restrict or object to processing (Art. 18, 21). Email privacy@suplay.nl.
- Lodge a complaint with a supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
We respond to data-subject requests within 30 days. If a request is complex we may extend by a further 60 days with notice.
10. Security measures
See our Security Summary for the public-facing list of technical and organisational measures, including TLS, password and token hashing, rate limiting, runtime privilege isolation, mandatory access controls, backup encryption, and incident response. Detailed measures (versions, internal topology, audit-log retention) are available on request to customers with a signed DPA.
11. Contact
suPlay B.V.
Ruwerstraat 9, 7545 SM Enschede, The Netherlands
General: info@suplay.nl
Privacy / data-subject requests: privacy@suplay.nl
Managing Director: Holger Schiele.
Data Protection contact: Frederik Vos, Co-founder and Head of Development.