Privacy Policy
Last updated: July 8, 2025
At Durvey.org, we take privacy seriously. Whether you're a survey creator, participant, or visitor, this policy explains what data we collect, how we use it, and how you remain in control of your personal information.
Durvey.org ("we", "us", or "our") respects your privacy and is committed to protecting the personal data of our users and survey participants. This Privacy Policy explains how we collect, process, and protect personal data in connection with the use of our platform and services.
This policy applies to:
- Registered users of Durvey.org
- Survey respondents participating in panels or studies created via our platform
- Visitors to our website
This Privacy Policy also explains how we use analytics to understand how users interact with our services and to continuously improve our features and user experience.
For questions, contact us at: request@durvey.org
1. Roles under Data Protection Law
Under the EU General Data Protection Regulation (GDPR):
- Durvey.org acts as a Data Processor in accordance with Art. 28 GDPR for all personal data processed on behalf of our users (e.g., survey participants' responses).
- You, the user (individual or organization), are the Data Controller, responsible for ensuring that any data you collect and process via Durvey.org complies with applicable laws.
Durvey.org does not determine the purpose or legal basis of the data collected through surveys. We only process data based on your documented instructions.
2. Data We Process
We process the following categories of data:
Data You Provide
- Account registration details (name, email, password)
- Organization or billing details (if applicable)
- Your intended use/interest in our platform
- Support requests or communication history
- Survey and panel content you create
Data from Survey Participants
- Survey answers (text, choices, media)
- Metadata (timestamp, device, language)
- IP address (if not disabled by the user)
- Consent status (if consent forms are used)
Automatically Collected Data
- Access logs, browser type, OS, and activity (for security and analytics)
- Cookies (see Section 9)
- Device identifiers, screen resolution, time spent per page or action
- User interaction patterns (clicks, hovers, scrolls) via first- and third-party tools
3. Legal Bases for Processing
We process personal data based on:
- Art. 6(1)(b) GDPR – Performance of a contract (e.g., account setup, platform use)
- Art. 6(1)(c) GDPR – Legal obligations (e.g., invoicing, tax law)
- Art. 6(1)(f) GDPR – Legitimate interests (e.g., platform security, fraud detection)
- Art. 6(1)(a) GDPR – Consent (e.g., participation in surveys, cookies, marketing)
As a Data Controller, you must ensure that you have a valid legal basis for any data collected via surveys.
4. Purposes of Processing
We use personal data for the following purposes:
- Provision of our platform and services
- Account administration and user authentication
- Technical support and communication
- Survey creation, distribution, and analysis
- Compliance with legal obligations
- Prevention of abuse or misuse of our services
- Analytics and product improvement (on an aggregated, pseudonymized basis)
- Analytics and product improvement, including detailed behavioral usage tracking (e.g., feature adoption, interaction trends, performance diagnostics), based on aggregated or pseudonymized data where possible
We rely on legitimate interests (Art. 6(1)(f) GDPR) for strictly necessary and low-impact analytics, and on explicit consent (Art. 6(1)(a)) where required under GDPR or local ePrivacy laws (e.g., for advanced tracking or cross-site analysis).
We may also use aggregated, pseudonymized, or anonymized data for internal research, statistical reporting, benchmarking, and marketing purposes — for example, to communicate general trends (e.g., "150 projects are currently active in the US") or to improve our product by identifying usage patterns and feature adoption rates.
Such processing is carried out without identifying individual users or participants and is based on our legitimate interest in improving our services, developing new features, and promoting platform effectiveness in line with Art. 6(1)(f) GDPR.
Some platform features may use automated tools, including AI-based technologies, to assist in the analysis of survey responses (e.g., topic clustering, sentiment classification). These processes are carried out in pseudonymized form and do not involve automated decision-making or profiling under Article 22 GDPR.
5. Data Sharing and Subprocessors
We use verified subprocessors to operate the platform securely and efficiently. These may include:
| Subprocessor | Purpose | Location |
|---|---|---|
| Hetzner | Web hosting and infrastructure | Germany |
| Mailgun | Transactional email delivery | EU/US (SCCs) |
| Stripe | Payment processing | EU/US (SCCs) |
| Sentry | Error monitoring | EU/US (SCCs) |
| Google Analytics | Usage analytics and metrics | US/EU (SCCs) |
| Hotjar | UX heatmaps and session replays | EU/US (SCCs) |
Data is only shared with these processors under binding agreements in compliance with Art. 28 GDPR. We do not sell or share personal data with advertisers or external analytics providers. Google Analytics is configured with IP anonymization enabled (anonymize_ip), ensuring that IP addresses are truncated before being stored or processed.
You can request a complete list of active subprocessors by emailing request@durvey.org.
6. International Data Transfers
If any subprocessor or service provider operates outside the EU/EEA, we ensure protection of your data through:
- Adequacy decisions by the European Commission, or
- Standard Contractual Clauses (SCCs) as approved by the EU Commission, and
- Additional security measures as needed (e.g., encryption, strict access controls)
For certain analytics services (e.g., Google Analytics), personal data may be transferred to countries without an adequacy decision, such as the United States. In such cases, we rely on Standard Contractual Clauses (SCCs) and additional safeguards such as data minimization, encryption, and IP anonymization.
7. Data Retention
We retain personal data only as long as necessary for:
- Providing services to our users
- Complying with legal retention periods
- Resolving disputes or enforcing agreements
We retain personal data only as long as necessary and in accordance with data minimization principles. Below are the specific retention periods for different categories of data:
- Account information: Deleted 30 days after account termination
- Survey responses: Retained until manually deleted by the user or up to 12 months after project expiration
- Support tickets and communications: Retained for up to 12 months after resolution
- Access logs and IP addresses: Retained for a maximum of 90 days
- Backups: Automatically deleted after 90 days unless required for legal purposes
8. Your Rights as a Data Subject
If you are a survey participant or user from the EU/EEA, you have the following rights under GDPR:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure ("right to be forgotten") (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object to processing (Art. 21 GDPR)
- Right to withdraw consent (Art. 7(3) GDPR)
- Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)
To exercise your rights, contact the relevant survey organizer (Data Controller), or reach out to us at request@durvey.org if we act as the processor.
9. Cookies and Tracking
We use cookies to provide basic functions of this site (essential cookies) and - with your consent - to collect anonymous usage statistics and optimize the user experience. You can find details on this in our Consent Manager. There you can change or revoke your selection at any time.
Types of cookies we use:
| Type | Purpose | Consent required |
|---|---|---|
| Essential cookies | Login, CSRF protection | No |
| Functional cookies | User preferences (e.g., language) | Yes |
| Analytics cookies | Usage tracking via Google Analytics | Yes |
| Marketing cookies | May be used in the future for retargeting or campaign optimization. Currently disabled. | Yes |
We currently do not use marketing cookies. If this changes, we will update our cookie banner and request your explicit consent in accordance with applicable laws.
You can manage your preferences in our cookie consent banner at any time. We use a Consent Management Platform (CMP) to ensure that data collection complies with applicable data protection laws, including ePrivacy and GDPR.
10. Security Measures
We implement technical and organizational measures (TOMs) in line with Art. 32 GDPR, including:
- TLS encryption
- Regular software updates and security patching
- Role-based access control (RBAC)
- Audit logs for sensitive system actions
- Encrypted backups
- Data minimization principles
All staff and subprocessors are bound by strict confidentiality agreements. Access to personal data by system administrators is strictly limited based on necessity and role. All access is logged and subject to periodic review in line with the principle of least privilege ("need-to-know").
11. Children's Data
Durvey.org is not intended for use by children under the age of 16. If we become aware that we have collected data from a child without appropriate consent, we will delete it promptly.
12. Data Processing Agreement (DPA)
If you require a signed DPA to meet your GDPR obligations, please contact us at request@durvey.org. A standard template is available upon request. We conduct regular internal privacy and security audits to ensure compliance with applicable regulations and best practices.
13. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via platform notification or email. Continued use of the platform after such changes constitutes your acceptance of the updated policy.
14. Behavioral Analytics Tools
We may use behavioral analytics tools to better understand user interaction patterns (e.g., clicks, scrolling behavior, page navigation) and to improve user experience. These tools may record anonymized session data unless otherwise consented.
We ensure that such tools operate in compliance with applicable data protection laws and are configured to minimize the collection of personal data wherever possible. Consent is obtained where legally required.
We may apply machine learning or AI-based techniques to survey data in order to extract insights, identify trends, or cluster similar responses. These analyses are conducted on a pseudonymized or aggregated basis and are never used for automated decision-making that produces legal or similarly significant effects within the meaning of Art. 22 GDPR.
15. Use of Aggregated Data and Benchmarks
We reserve the right to analyze and publish aggregated statistics or trends derived from anonymized or pseudonymized usage data. These insights help us:
- Understand industry benchmarks
- Improve platform features
- Communicate market activity (e.g., "Durvey supports over 150 live projects per month across Europe and North America")
Aggregated data does not contain personal information and cannot be linked back to any individual user or survey participant.
16. Contact
If you have any questions about this Privacy Policy or how we handle your data, please contact:
Durvey.org
Email: request@durvey.org