Privacy Policy
Last updated: June 12, 2026
At Durvey.org, we take privacy seriously. Whether you're a survey creator, participant, or visitor, this policy explains what data we collect, how we use it, and how you remain in control of your personal information.
Welcome to Durvey.org, a service operated by Beleo Labs GmbH ("Durvey.org", "we", "us", or "our"). We respect your privacy and are committed to protecting the personal data of our users and survey participants. This Privacy Policy explains how we collect, process, and protect personal data in connection with the use of our platform and services.
This policy applies to:
- Registered users of Durvey.org
- Survey respondents participating in panels or studies created via our platform
- Visitors to our website
This Privacy Policy also explains how we use analytics to understand how users interact with our services and to continuously improve our features and user experience.
For questions, contact us at: [email protected]
1. Roles under Data Protection Law
Durvey.org acts in two distinct roles depending on the data concerned.
a) As Data Processor (Art. 28 GDPR)
For personal data we process on behalf of and under the documented instructions of our users, in particular:
- survey and panel content created by users;
- participant responses and associated metadata;
- participant email addresses used to deliver invitations;
- optional AI-based analysis of survey responses.
For this data, the user is the Data Controller and determines the purposes, content, and legal basis of the processing.
b) As Data Controller (Art. 4(7) GDPR)
For personal data we process for our own purposes, in particular:
- account, registration and billing data of our users;
- support communications;
- data of website visitors, cookies set on durvey.org, and product/usage analytics;
- security, fraud prevention, and aggregated benchmarking/marketing.
For this data, Durvey.org determines the purposes and means and is the responsible controller.
Throughout this policy we indicate, where relevant, in which role we act.
Controller Responsibility for Study Design
Where we act as processor, the user (Controller) alone designs and controls the surveys, panels, and studies created via the platform. This includes deciding which data are collected, how questions are framed, whether direct or indirect identifiers are requested, and whether responses are collected in anonymized, pseudonymized, or identifiable form.
Durvey.org provides technical features that support data minimization and pseudonymization (for example, the option to disable IP collection or to analyze responses in pseudonymized form), but we have no control over, and no visibility into, the substantive design of a study or the content a Controller chooses to collect. Accordingly, the Controller is solely responsible for designing and conducting each study in compliance with applicable law, including establishing a valid legal basis and applying appropriate anonymization or pseudonymization. This responsibility applies with particular force to any special categories of data within the meaning of Art. 9 GDPR.
2. Data We Process
We process the following categories of data:
Data You Provide
- Account registration details (name, email, password)
- Organization or billing details (if applicable)
- Your intended use/interest in our platform
- Support requests or communication history
- Survey and panel content you create
Data from Survey Participants
- Survey answers (text, choices, media)
- Metadata (timestamp, device, language)
- IP address (if not disabled by the user)
- Consent status (if consent forms are used)
Automatically Collected Data
- Access logs, browser type, OS, and activity (for security and analytics)
- Cookies (see Section 9)
- Device identifiers, screen resolution, time spent per page or action
- User interaction patterns (clicks, hovers, scrolls) via first- and third-party tools
Email Delivery Data (on behalf of users)
When survey creators send invitation emails to participants via Durvey.org, we process the recipients' email addresses and message metadata (such as timestamp, delivery status, and bounce information) solely for the purpose of delivering the invitation.
Durvey.org processes these data as a Data Processor on behalf of the survey creator (Data Controller). We do not use participant email addresses for any purpose other than email delivery or troubleshooting delivery issues.
3. Legal Bases for Processing
We process personal data based on:
- Art. 6(1)(b) GDPR – Performance of a contract (e.g., account setup, platform use)
- Art. 6(1)(c) GDPR – Legal obligations (e.g., invoicing, tax law)
- Art. 6(1)(f) GDPR – Legitimate interests (e.g., platform security, fraud detection)
- Art. 6(1)(a) GDPR – Consent (e.g., participation in surveys, cookies, marketing)
As a Data Controller, you must ensure that you have a valid legal basis for any data collected via surveys.
4. Purposes of Processing
We use personal data for the following purposes:
- Provision of our platform and services
- Account administration and user authentication
- Technical support and communication
- Survey creation, distribution, and analysis
- Compliance with legal obligations
- Prevention of abuse or misuse of our services
- Analytics and product improvement (on an aggregated, pseudonymized basis)
- Analytics and product improvement, including detailed behavioral usage tracking (e.g., feature adoption, interaction trends, performance diagnostics), based on aggregated or pseudonymized data where possible
Some analytical features optionally offer AI-based services (such as Mistral AI's API) to automatically generate aggregated summaries, sentiment analyses, or topic overviews based on survey responses or comments. These AI features are entirely optional and only activated when explicitly requested by the survey creator. Durvey removes known structured identifiers (such as names, email addresses, IP addresses, or device data) before transmission to the AI provider. The Controller remains responsible for ensuring that free-text and other user-generated fields do not contain personal or special-category data. The purpose of this processing is to help survey creators better understand collective trends or insights from their respondents' feedback.
Important: We never use your data or your participants' responses to train AI models, and we never sell user data to third parties. All AI processing is performed solely to deliver the requested feature and data is not retained by the AI provider beyond the processing time required.
We rely on legitimate interests (Art. 6(1)(f) GDPR) for strictly necessary and low-impact analytics, and on explicit consent (Art. 6(1)(a)) where required under GDPR or local ePrivacy laws (e.g., for advanced tracking or cross-site analysis).
We may also use aggregated, pseudonymized, or anonymized data for internal research, statistical reporting, benchmarking, and marketing purposes — for example, to communicate general trends (e.g., "150 projects are currently active in the US") or to improve our product by identifying usage patterns and feature adoption rates.
Such processing is carried out without identifying individual users or participants and is based on our legitimate interest in improving our services, developing new features, and promoting platform effectiveness in line with Art. 6(1)(f) GDPR.
Some platform features may use automated tools, including AI-based technologies, to assist in the analysis of survey responses (e.g., topic clustering, sentiment classification). These processes are carried out in pseudonymized form and do not involve automated decision-making or profiling under Article 22 GDPR.
5. Data Sharing and Subprocessors
We use verified third-party processors to operate the platform. Below we distinguish between subprocessors that handle data we process on behalf of users (where Durvey.org acts as processor) and our own processors that serve Durvey.org's independent operational purposes (where Durvey.org acts as controller).
Subprocessors (processing data on behalf of users)
These providers process personal data under our instructions, on behalf of and for the benefit of our users.
| Subprocessor | Purpose | Location |
|---|---|---|
| Oracle Cloud | Backend and database hosting | EU |
| Vercel | Frontend and application hosting | EU/US (SCCs) |
| AWS (Amazon Web Services) | Transactional email delivery (SES) | EU/US (SCCs) |
| Mistral AI | Optional AI-based text analysis (structured identifiers removed before transmission) | EU (France) |
Durvey.org's own processors (Durvey.org acting as controller)
These providers process data for Durvey.org's own operational and analytical purposes.
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing | EU/US (SCCs) |
| Sentry | Error monitoring and diagnostics | EU/US (SCCs) |
| Google Analytics | Usage analytics and metrics | US/EU (SCCs) |
| Microsoft Clarity | Behavioral analytics and session recordings | US/EU (SCCs) |
Data is only shared with these processors under binding agreements in compliance with Art. 28 GDPR. We do not sell or share personal data with advertisers or external analytics providers. Google Analytics is configured with IP anonymization enabled (anonymize_ip), ensuring that IP addresses are truncated before being stored or processed.
For email delivery, Durvey.org may temporarily process participant email addresses on behalf of the survey creator. These addresses are automatically deleted or anonymized once the delivery process and related logs (e.g., delivery confirmation or bounce handling) are complete. Where a participant has requested not to be contacted again, a minimal hashed record may be retained solely to honor that suppression, in accordance with the Controller's instructions.
For optional AI-assisted analytics (activated only upon user request), text data with known structured identifiers removed (e.g., participants' written comments with names, email addresses, and device data stripped) may be temporarily processed by Mistral AI's API to generate summaries, sentiment analyses, or thematic overviews. The Controller remains responsible for ensuring that free-text fields do not contain personal or special-category data. Mistral AI is an EU-based provider (France) and acts as a Data Processor in compliance with GDPR. Data shared for this purpose is not retained by Mistral AI beyond the processing time required to deliver the requested analysis. We never use your data to train AI models, and we never sell user data to third parties.
You can request a complete list of active subprocessors by emailing [email protected].
6. International Data Transfers
If any subprocessor or service provider operates outside the EU/EEA, we ensure protection of your data through:
- Adequacy decisions by the European Commission, or
- Standard Contractual Clauses (SCCs) as approved by the EU Commission, and
- Additional security measures as needed (e.g., encryption, strict access controls)
For certain analytics services (e.g., Google Analytics), personal data may be transferred to countries without an adequacy decision, such as the United States. In such cases, we rely on Standard Contractual Clauses (SCCs) and additional safeguards such as data minimization, encryption, and IP anonymization.
7. Data Retention
We retain personal data only as long as necessary for:
- Providing services to our users
- Complying with legal retention periods
- Resolving disputes or enforcing agreements
We retain personal data only as long as necessary and in accordance with data minimization principles. Below are the specific retention periods for different categories of data:
- Account information: Deleted 30 days after account termination
- Survey responses: Retained until manually deleted by the user or up to 12 months after project expiration
- Support tickets and communications: Retained for up to 12 months after resolution
- Access logs and IP addresses: Retained for a maximum of 90 days
- Backups: Automatically deleted after 90 days unless required for legal purposes
8. Your Rights as a Data Subject
If you are a survey participant or user from the EU/EEA, you have the following rights under GDPR:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure ("right to be forgotten") (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
How to exercise your rights depends on the role Durvey.org plays in the relevant processing:
- Survey and participation data — contact the relevant survey organizer, who is the Data Controller for that processing. Durvey.org will forward requests and assist as required under Art. 28(3)(e) GDPR.
- Account, billing, website, or analytics data — contact Durvey.org directly at [email protected], as we act as Data Controller for this data.
9. Cookies and Tracking
We use cookies to provide basic functions of this site (essential cookies) and - with your consent - to collect anonymous usage statistics and optimize the user experience. You can find details on this in our Consent Manager. There you can change or revoke your selection at any time.
Types of cookies we use:
| Type | Purpose | Consent required |
|---|---|---|
| Essential cookies | Login, CSRF protection | No |
| Functional cookies | User preferences (e.g., language) | Yes |
| Analytics cookies | Usage tracking via Google Analytics | Yes |
| Marketing cookies | May be used in the future for retargeting or campaign optimization. Currently disabled. | Yes |
We currently do not use marketing cookies. If this changes, we will update our cookie banner and request your explicit consent in accordance with applicable laws.
You can manage your preferences in our cookie consent banner at any time or visit our Cookie Settings page to view and change your preferences. We use a Consent Management Platform (CMP) to ensure that data collection complies with applicable data protection laws, including ePrivacy and GDPR.
10. Security Measures
We implement technical and organizational measures (TOMs) in line with Art. 32 GDPR, including:
- TLS encryption
- Regular software updates and security patching
- Role-based access control (RBAC)
- Audit logs for sensitive system actions
- Encrypted backups
- Data minimization principles
All staff and subprocessors are bound by strict confidentiality agreements. Access to personal data by system administrators is strictly limited based on necessity and role. All access is logged and subject to periodic review in line with the principle of least privilege ("need-to-know").
11. Children's Data
Durvey.org is not intended for use by children under the age of 16. If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly.
12. Data Processing Agreement (DPA)
If you require a signed DPA to meet your GDPR obligations, please contact us at [email protected]. A standard template is available upon request. We conduct regular internal privacy and security audits to ensure compliance with applicable regulations and best practices.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via platform notification or email. Continued use of the platform after such changes constitutes your acceptance of the updated policy.
14. Behavioral Analytics Tools
We may use behavioral analytics tools to better understand user interaction patterns (e.g., clicks, scrolling behavior, page navigation) and to improve user experience. These tools may record anonymized session data unless otherwise consented.
We ensure that such tools operate in compliance with applicable data protection laws and are configured to minimize the collection of personal data wherever possible. Consent is obtained where legally required.
We may apply machine learning or AI-based techniques to survey data in order to extract insights, identify trends, or cluster similar responses. These analyses are conducted on a pseudonymized or aggregated basis and are never used for automated decision-making that produces legal or similarly significant effects within the meaning of Art. 22 GDPR.
15. Use of Aggregated Data and Benchmarks
We reserve the right to analyze and publish aggregated statistics or trends derived from anonymized or pseudonymized usage data. These insights help us:
- Understand industry benchmarks
- Improve platform features
- Communicate market activity (e.g., "Durvey supports over 150 live projects per month across Europe and North America")
Aggregated data does not contain personal information and cannot be linked back to any individual user or survey participant.
16. AI and Automated Processing
Durvey.org offers optional AI-based services (such as Mistral AI's API) to assist in generating summaries or aggregated insights from survey data. These features are entirely optional and only activated when explicitly requested by the survey creator.
- AI features are opt-in and never run automatically without user consent.
- Durvey removes known structured identifiers before transmission; the Controller remains responsible for ensuring that free-text and other fields do not contain personal or special-category data.
- No automated decision-making or profiling under Art. 22 GDPR is performed.
- We use EU-based AI providers (Mistral AI, France) to ensure GDPR compliance and minimize data transfer risks.
- We never use your data or survey responses to train AI models.
- We never sell user data to third parties.
- Data is processed solely to deliver the requested feature and is not retained by the AI provider beyond processing time.
- Survey creators remain responsible for ensuring that survey content does not include personal data in free-text fields that are analyzed by AI-based tools.
17. Contact
If you have any questions about this Privacy Policy or how we handle your data, please contact:
Durvey.org
Email: [email protected]