Echovote - Customer Feedback & Roadmap Software

This privacy policy explains how we handle any information
collected when you use this Framer template.

Last updated: 1 January 2026

Your privacy is important to us. It is CNSDR's policy to respect your privacy regarding any information we may collect from you across our websites, https://echovote.xyz, https://app.echovote.xyz, and tenant workspaces at *.echovote.xyz (collectively "Sites", "Service", "EchoVote").

Contact Information

CNSDR
1098LG Amsterdam
The Netherlands

KvK: 88676471
Email: privacy@echovote.xyz

1. Information We Collect

Log Data

When you visit our websites, our servers may automatically log the standard data provided by your web browser. This may include your computer's Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other technical details.

Device Data

We may collect data about the device you're using to access our website. This data may include the device type, operating system, unique device identifiers, device settings, and general location data (country/region level). What we collect depends on the individual settings of your device and software.

Personal Information Collected by Us

We may ask for personal information, such as your:

First name and last name
Email address
Company name
Payment information (processed by Stripe)

Personal Information Provided by You

When using our Services, you may share the following information:

Team member email addresses (when inviting users)
Feedback posts and ideas
Votes on ideas
Comments
Service inquiries

Anonymized Product Usage Data

We collect anonymized usage data to improve our Services, including feature usage patterns, session duration, and interaction flows. This data cannot be traced back to individual users.

2. Legal Bases for Processing

We process your personal information lawfully, fairly, and in a transparent manner under the General Data Protection Regulation (GDPR). We collect and process information about you only where we have legal bases for doing so.

These legal bases depend on the services you use and how you use them:

Contract performance: When we provide services you request from us, such as creating your account, managing your subscription, and delivering the EchoVote platform.

Legitimate interest: For research and development, to improve our services, ensure security, prevent fraud, and protect our legal rights (where not overridden by your data protection interests).

Consent: When you opt-in to receive our newsletter or marketing communications. You can withdraw consent at any time.

Legal obligation: When we need to process your data to comply with tax, accounting, or other legal requirements.

We don't keep personal information for longer than is necessary. While we retain this information, we will protect it using commercially acceptable means to prevent loss, theft, unauthorized access, disclosure, copying, use, or modification.

3. Collection and Use of Information

We may collect, hold, use, and disclose information for the following purposes:

To enable you to create and manage your EchoVote account
To enable you to access and use our websites and platform
To process payments and manage subscriptions
To contact and communicate with you about your account or our services
For internal record keeping and administrative purposes
For analytics and product improvement, using anonymized data
To comply with our legal obligations and resolve any disputes

We will not process personal information in a manner incompatible with these purposes.

4. Disclosure of Personal Information to Third Parties

We may disclose personal information to third-party service providers for the purpose of enabling them to provide their services. We have Data Processing Agreements (DPAs) in place with each provider.

Our Sub-processors

A complete and up-to-date list of our sub-processors can be found in our Data Processing Agreement. Key service providers include:

Google Cloud Platform / Firebase — Authentication, database, and file storage. Data stored in EU (Netherlands, europe-west4). Google Cloud DPA applies.

Vercel Inc. — Website hosting and content delivery for the application (app.echovote.xyz and tenant workspaces). Data processed in EU & US under EU-US Data Privacy Framework. Vercel DPA applies.

Framer B.V. — Marketing website hosting (echovote.xyz only). Based in the Netherlands. Data processed via global CDN with EU nodes.

Brevo SAS (formerly Sendinblue) — Transactional and marketing email delivery. Based in France. Data stored in EU data centers (France/Germany).

Stripe Payments Europe, Limited — Payment processing. Based in Ireland (EU). Data processed within the EU. Stripe DPA applies.

All sub-processors are contractually bound to protect your data in accordance with GDPR. We have signed Data Processing Agreements with each of them.

For a complete list of sub-processors and their data processing details, please refer to our Data Processing Agreement (DPA).

We may also disclose personal information to:

Our employees and contractors who need access to perform their duties
Courts, tribunals, regulatory authorities, and law enforcement officers, as required by law
Professional advisors (accountants, lawyers) under confidentiality obligations

We do not sell your personal data to third parties.

5. International Transfers of Personal Information

Your personal data is primarily stored and processed within the European Economic Area (EEA), specifically in the Netherlands (Google Cloud region europe-west4).

Some of our service providers (Vercel, Stripe) may process data in the United States. These transfers are protected by:

EU-US Data Privacy Framework (adequacy decision by the European Commission)
Standard Contractual Clauses approved by the European Commission

This ensures your data receives equivalent protection when processed outside the EEA.

6. Data Retention

We retain your personal data for as long as necessary to provide our services and fulfill the purposes described in this policy:

Account information: Duration of your account plus 30 days after deletion request.

Payment and invoice data: 7 years (Dutch tax law requirement).

Support communications: 3 years after resolution.

Anonymized analytics: Indefinitely (cannot be traced to individuals).

Log data: 90 days.

7. Your Rights Under GDPR

As a data subject in the EEA, you have the following rights:

Right to Access

You may request details of the personal information we hold about you and receive a copy in a commonly used electronic format.

Right to Rectification

If you believe any information we hold about you is inaccurate, out of date, or incomplete, you may request correction.

Right to Erasure ("Right to be Forgotten")

You may request that we delete all personal data we hold about you. Note that some data must be retained for legal compliance (e.g., invoices for 7 years).

Right to Restrict Processing

You may request that we limit the processing of your personal data in certain circumstances.

Right to Data Portability

You may request that we transfer your personal data to another organization in a structured, commonly used, machine-readable format.

Right to Object

You may object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

Right to Lodge a Complaint

You have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ Den Haag
https://autoriteitpersoonsgegevens.nl

How to Exercise Your Rights

To exercise any of these rights, please contact us at: privacy@echovote.xyz

We will respond to your request within 30 days. If your request is complex or we receive multiple requests, we may extend this period by an additional 60 days, in which case we will notify you.

We may ask you to verify your identity before processing your request.

8. Cookies

We use cookies to collect information about you and your activity across our sites. A cookie is a small piece of data that our website stores on your computer and accesses each time you visit.

Types of Cookies We Use

Strictly Necessary: Enable core functionality like authentication and security. The site cannot function without these. Consent not required.

Functional: Remember your preferences (e.g., language settings) to provide a more personalized experience. Consent not required.

Analytics: Help us understand how visitors use our site, which pages are popular, and how we can improve. Data is aggregated. Consent required.

Marketing: Used to deliver relevant advertisements and track campaign effectiveness. Consent required.

Specific Cookies We Use

__session (Firebase) — Authentication session. Strictly Necessary.

vercel* (Vercel) — Performance and analytics. Analytics.

Various (Google Analytics) — Website analytics. Analytics.

Managing Your Cookie Preferences

You can manage your cookie preferences at any time:

Cookie banner: Adjust your preferences when you first visit our site
Browser settings: Most browsers allow you to block or delete cookies
Opt-out links: For specific services like Google Analytics, you can use their opt-out tools

Note: Blocking strictly necessary cookies may impact the functionality of our services.

9. Data Processing for EchoVote Workspaces (B2B)

EchoVote is a B2B service that enables companies to collect feedback from their users.

When Our Customers Use EchoVote:

Your customer (the company using EchoVote) is the Data Controller for their end-users' data
CNSDR/EchoVote acts as the Data Processor on behalf of our customer
Processing is governed by our Data Processing Agreement (DPA) with each customer

For End-Users of Companies Using EchoVote:

If you are submitting feedback, voting, or commenting on a workspace like [company].echovote.xyz, the company operating that workspace is responsible for your data. Please refer to that company's privacy policy for information about how they handle your personal data.

If you have questions about data processed in a specific workspace, please contact the company that operates that workspace directly.

For Our Business Customers:

We provide a Data Processing Agreement (DPA) that complies with Article 28 of the GDPR. This agreement governs how we process personal data on your behalf. Contact us at privacy@echovote.xyz to request a copy.

10. Data Security

We have implemented appropriate technical and organizational measures to protect your personal data, including:

Encryption in transit (TLS 1.3) and at rest
Access controls and authentication requirements
Regular security assessments
Employee confidentiality obligations
Secure data centers (Google Cloud, SOC 2 certified)

While we take all reasonable precautions, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute data security.

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

Notify the Dutch Data Protection Authority within 72 hours
Notify affected individuals without undue delay (if high risk)
Document the breach and our response

11. Children's Privacy

Our services are not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@echovote.xyz.

12. Business Transfers

If CNSDR or its assets are acquired, or in the unlikely event that we go out of business or enter bankruptcy, personal data would be among the assets transferred to acquiring parties. You acknowledge that such transfers may occur and that any parties who acquire us may continue to use your personal information according to this policy.

13. Links to External Sites

Our websites may link to external sites that are not operated by us. We have no control over the content and policies of those sites and cannot accept responsibility for their privacy practices. We encourage you to review the privacy policy of any site you visit.

14. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify users of significant changes via email or a prominent notice on our website.

Your continued use of our services after changes to this policy constitutes acceptance of the updated policy.