← Home

Privacy Policy

Last updated: 2026-05-21

Placeholder copy. Have a privacy lawyer review before relying on this document. The language below is a reasonable scaffold but is not legal advice.

1. Who we are

Questaion (“we”, “our”, “us”) operates the Questaion survey platform. We act as a “business” under the California Consumer Privacy Act (CCPA / CPRA) and as a “controller” under the EU/UK General Data Protection Regulation (GDPR) for the limited personal data we collect about accountholders. We act as a “service provider” / “processor” for data that our customers collect from their respondents using Questaion surveys.

2. What we collect

Account data

  • Email, name, hashed password, workspace membership
  • Authentication cookies and CSRF tokens
  • Plan, billing region (we don't process card numbers directly)

Usage data

  • IP address, user agent, page views (only with analytics consent)
  • API key usage timestamps for security and quota enforcement

Respondent data (collected by our customers)

  • Answers, started/completed timestamps, response duration
  • Respondent email (if provided), browser metadata, and any context fields the survey author chose to surface from their /external/invitations payload

3. Why we use it

  • To run and secure the service (contract, legitimate interest)
  • To send transactional emails such as password resets (contract)
  • To improve the product via aggregate analytics (consent)
  • To comply with legal obligations (tax, fraud, lawful requests)

4. Your rights

Whether you reside in the EEA, UK, California, or elsewhere, you can:

  • Access a copy of your data — use GET /api/v1/privacy/me/export or email privacy@questaion.com.
  • Delete your account and authored content — use DELETE /api/v1/privacy/me in the API or the “Delete account” button in settings.
  • Object to or restrict certain processing — email us.
  • Withdraw consent at any time via the cookie banner (Customize → Reject analytics).
  • Lodge a complaint with your local supervisory authority. EU residents may contact the relevant Data Protection Authority; California residents may contact the California Attorney General.

If your data was collected by a survey owner using Questaion, please contact that survey owner directly. We can forward your request via POST /api/v1/privacy/respondent .

5. Retention

Account data is retained while your account is active and for up to 30 days after deletion in encrypted backups. Survey responses follow the retention period configured by the survey author (see each survey's settings.retention_days ). When a retention window expires, responses and their answers are permanently deleted.

6. International transfers

We host on Google Cloud (United States by default). For customers requiring EU residency, contact us about our EU multi-region deployment. Transfers from the EEA/UK/Switzerland to the US rely on the EU-US Data Privacy Framework and Standard Contractual Clauses as applicable.

7. Cookies and tracking

We use strictly necessary cookies for authentication and CSRF protection. Analytics cookies (PostHog) are only set after you opt in via the consent banner.

8. Security

We encrypt data in transit (TLS 1.2+) and at rest. Access to production systems is restricted to authorized personnel and protected by SSO + 2FA. We maintain an information security program aligned with SOC 2 controls.

9. Changes

We'll post material changes here and, for accountholders, by email. Continued use of the service after notice constitutes acceptance.

10. Contact

privacy@questaion.com