Privacy Policy
Last updated: April 2026
1. Data Controller
The data controller for suPlayPoll is suPlay B.V., Ruwerstraat 9, 7545 SM Enschede, The Netherlands. You can reach us at info@suplay.nl.
2. What Data We Collect
When you use suPlayPoll, we may collect the following data:
- Votes and responses: Your answers to polls. In anonymous mode, votes are not linked to your identity. In authenticated mode, your name and/or email address may be linked to your participation, but individual votes remain anonymous by default.
- Optional participant info: If provided, your name and/or email address when joining an event.
- Session tokens: Technical identifiers to maintain your session.
- Presenter accounts: Name, email address, and hashed password for event presenters.
3. How Data Is Stored
All data is stored in a PostgreSQL database hosted by TransIP / team.blue on servers located in the Netherlands. Data is transmitted over encrypted connections (HTTPS/TLS).
4. Cookies
We use only essential cookies:
- Session token (essential, httpOnly) — maintains your participant session.
- Authentication JWT (essential, httpOnly) — keeps presenters logged in.
We do not use any tracking, analytics, or advertising cookies.
5. Who Has Access
- Event presenters can view aggregate poll results for their events. In authenticated mode, they can see which participants joined but cannot link individual votes to participants in anonymous mode.
- System administrators at suPlay B.V. have access to the database for operational purposes. Any administrative impersonation of a presenter account is logged and retained for 90 days.
- Subprocessors named on our Subprocessors page process data on our behalf under signed Data Processing Agreements.
6. Lawful basis (GDPR Art. 6)
| Purpose | Data | Lawful basis |
|---|---|---|
| Operate a presenter account | Name, email, hashed password | Contract (Art. 6(1)(b)) |
| Run a poll / collect votes | Votes, optional participant name/email, session token | Legitimate interests (Art. 6(1)(f)) or consent when identifying data is voluntarily provided |
| Send transactional email (verification, reset, invitation) | Email, name | Contract + legitimate interests |
| Billing and subscription management | PayPal payer identifiers, plan, billing events | Contract + legal obligation (tax retention) |
| Security, fraud prevention, rate limiting | IP address — processed transiently as a Redis counter key (typically for seconds up to one hour), not written to the application database or server logs | Legitimate interests |
| Error monitoring and service stability | Stack traces with personally-identifying fields scrubbed | Legitimate interests |
7. Retention
| Data category | Retention | Reason |
|---|---|---|
| Presenter account | Until deletion request, plus 30 days grace | Allow account recovery |
| Events, polls, votes | Retained until the presenter deletes the event or closes their account. Scheduled automatic expiry 12 months after archival is planned (see our SLA and public roadmap). | Typical reuse window; minimisation thereafter |
| Participant name/email | Same as the parent event (cascaded) | Minimisation |
| Email-verification and password-reset tokens | Deleted on use or after 24-hour expiry | No purpose once consumed |
| Billing events, invoices | 7 years | Dutch tax law |
| Admin impersonation log | 90 days | Forensics + access-review |
| Sentry error events | Sentry default (30–90 days) | Operated by subprocessor; see their retention schedule |
| Database backups | 30 rolling daily, 12 rolling monthly; then overwritten | Recovery window + long-tail integrity |
8. International transfers
Application data is hosted in the Netherlands. Personal data reaches non-EU subprocessors only for transactional email (see Resend — EU), error monitoring (Sentry — currently US, scrubbed of personally identifying fields, migration to the EU region planned), and payment processing (PayPal — Luxembourg EU entity with a US parent). Transfers to the United States are performed under Standard Contractual Clauses (SCCs) 2021/914. See our Subprocessors page for the complete list and legal basis of each transfer.
9. Your Rights (GDPR)
Under the General Data Protection Regulation (GDPR), you have the right to:
- Access your personal data (Art. 15). Presenters can self-export via
/settings→ “Download my data”. - Rectify inaccurate data (Art. 16). Presenters can edit name/email in
/settings. - Deleteyour data (Art. 17, “right to be forgotten”). Presenters can self-delete their account via
/settings. Participants can ask the presenter or email privacy@suplay.nl. - Port your data to another service (Art. 20). Machine-readable JSON via the account-export endpoint (CSV export of votes and participants is available per-event from the presenter dashboard).
- Restrict or object to processing (Art. 18, 21). Email privacy@suplay.nl.
- Lodge a complaint with a supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
We respond to data-subject requests within 30 days. If a request is complex we may extend by a further 60 days with notice.
10. Security measures
See our Security Summary for the full list of technical and organisational measures, including TLS, password and token hashing, rate limiting, the runtime non-root user, SELinux, backup encryption, and incident response.
11. Contact
suPlay B.V.
Ruwerstraat 9, 7545 SM Enschede, The Netherlands
General: info@suplay.nl
Privacy / data-subject requests: privacy@suplay.nl
Managing Director: Holger Schiele.
Data Protection contact: Frederik Vos, Co-founder and Head of Development.