justsayin — Privacy Policy
Last updated: 6 July 2026
1. Who we are and what this policy covers
Unendlich UG (haftungsbeschränkt), Rotherstraße 24, 10245 Berlin, Germany — registered with the Amtsgericht Charlottenburg under HRB 253965 B and operator of the justsayin service (“justsayin”, “we”, “us”) — is the controller responsible for the personal data described in this Privacy Policy.
This policy explains how we handle personal data when you use the justsayin website (justsayin.io) and the justsayin application (app.justsayin.io): for example, when you create an account, sign in, manage a workspace, communicate with us, or browse our website. It also covers the justsayin account you create if you sign up to take part in a public feedback board hosted by justsayin (feedback.justsayin.io). justsayin is a service for businesses and is not directed at children, and we do not knowingly collect personal data from children.
It does not cover feedback that end users submit through a justsayin widget or public feedback board embedded in another organisation’s website or application: there, justsayin acts only as a processor, the organisation that installed justsayin is the controller responsible for that feedback, and the feedback is governed by our Data Processing Agreement rather than by this policy. If you create a justsayin account to take part in such a board, this policy covers that account itself; the feedback, comments, and votes you post to the board are the responsibility of the organisation whose board it is.
For any question about this policy or your personal data, you can reach us at privacy@justsayin.io.
2. What we process, why, and our legal basis
This section explains the personal data we process as a controller when you use our website and application, why we process it, and our legal basis under Article 6 GDPR. Who we share data with is set out in Section 4, international transfers in Section 5, and how long we keep each kind of data in Section 6.
Visiting our website. When you visit justsayin.io or app.justsayin.io, our servers automatically process standard technical data — such as your IP address, browser and device type, the page requested, and the time of the request — to deliver the pages to you and to keep the service secure and stable. Legal basis: our legitimate interests in operating and securing our website (Article 6(1)(f) GDPR). The cookies and similar technologies we use are described in Section 3.
Your account: creating it, signing in, and keeping it secure. When you or your organisation create an account, we process your name, email address, password (stored only in hashed form), any profile picture you add, and your account preferences, in order to provide the account and the service. Providing this information is necessary to create and use your account; if you do not provide it, we cannot give you access to the service. If someone invites you to a workspace, we receive your email address from the person who invited you in order to send you the invitation. If you sign in through Google, Microsoft, or GitHub, we receive basic identity information from that provider to authenticate you. To protect your account and the service, we also process sign-in records (including times and IP addresses) and information used to detect and prevent unauthorised access and abuse, such as failed-login lockouts. Legal bases: performance of the contract for the account and service (Article 6(1)(b) GDPR) and our legitimate interests in securing the service and preventing abuse (Article 6(1)(f) GDPR).
Workspaces, subscriptions, and billing. When you manage a workspace or use a paid plan, we process workspace and billing details — such as your plan and billing contact and, where you provide them, your company name, VAT identification number, and address — to administer your workspace and manage your subscription and billing. Legal bases: performance of the contract (Article 6(1)(b) GDPR) and, where we are legally required to retain billing and accounting records, compliance with a legal obligation (Article 6(1)(c) GDPR).
Communicating with you. We use a third-party email provider to send you service messages that are necessary to run your account — such as confirmation, password-reset, workspace-invitation, and notification emails — and, where you contact us (for example at privacy@justsayin.io), we process your message and contact details to respond. Legal bases: performance of the contract (Article 6(1)(b) GDPR) for service-essential messages, and our legitimate interests in operating the service and responding to enquiries (Article 6(1)(f) GDPR).
Maintaining and improving our services. We also process technical and usage information — such as error and diagnostic data, and information about how our website and service are used — to keep them working, to troubleshoot problems, and to improve and develop our services. Where we use a website-analytics tool for this purpose, we choose one designed to respect your privacy; any such provider is named in Section 4. Legal basis: our legitimate interests in maintaining, securing, and improving our services (Article 6(1)(f) GDPR).
3. Cookies and local storage
We keep cookies to the minimum needed to run the service. On our website and application (including the public feedback boards we host) we use only strictly necessary cookies: a cookie that maintains your signed-in session and protects our forms against cross-site request forgery, and — only if you choose to stay signed in — a cookie that keeps you logged in across visits. Because these cookies are required to provide the service you have requested, we may set them without your consent under § 25(2) TDDDG, and we therefore do not show a cookie banner. The legal basis for any personal data processed through them is the performance of our contract with you and our legitimate interest in keeping the service secure (Article 6(1)(b) and (f) GDPR).
We do not use advertising, marketing, or cross-site tracking cookies.
When you use the justsayin widget or a public feedback board on another organisation’s website, small amounts of information may be stored in your browser as part of capturing your feedback — for example, to recognise a feedback session or to remember that you have already seen our voice-recording notice. We handle that information as a processor on behalf of the organisation that installed justsayin, and it is governed by our Data Processing Agreement rather than by this policy.
4. Who receives your data
To run the website and application, we share your personal data with a small number of service providers that act as our processors — they process it only on our instructions and under a data-processing agreement (Article 28 GDPR). We do not sell your personal data.
We rely on:
- Hetzner Online GmbH (Germany) — hosting of our servers and application.
- Ubicloud B.V. (Netherlands; database infrastructure in Germany) — the managed database where account, workspace, and billing details are stored.
- Cloudflare, Inc. (United States; storage configured to the EU region) — object storage for files such as profile pictures.
- Brevo (France) — delivery of the service emails described in Section 2.
- mailbox.org (Germany) — hosting of our inbound email and contact mailboxes (for example, messages you send to us).
- Axiom, Inc. (United States; log storage in the EU) — technical logging that helps us keep the service secure and running.
Some of these providers are based outside the European Economic Area, or may transfer data outside it; the safeguards for those transfers are described in Section 5.
The providers that process the feedback submitted through a widget or public board — including our AI transcription and analysis provider — process it on behalf of the organisation that installed justsayin, and are listed in our sub-processor list, which forms part of the Data Processing Agreement.
5. International data transfers
Most of your personal data stays within the European Economic Area (EEA): our hosting, database, and email providers are based in the EU and process your data there.
Some data is transferred to, or accessible from, the United States by the providers identified in Section 4 as based there (our object-storage and logging providers). Where this happens, the transfer is protected by appropriate safeguards under Chapter V of the GDPR: the European Commission’s Standard Contractual Clauses and, for any provider certified under the EU–US Data Privacy Framework, that framework’s adequacy decision. Some of our EU-based providers may in turn rely on their own sub-processors outside the EEA; where they do, those transfers are covered by equivalent safeguards.
You can request a copy of the safeguards we use, or details of where they have been made available, by contacting us at privacy@justsayin.io.
6. How long we keep your data
We keep your personal data only for as long as we need it for the purposes described in this policy, and then delete it. The main periods are:
- Account and profile data — kept for as long as your account exists. When you delete your account, we permanently delete it and the data associated with it; there is no recovery period.
- Technical logs — kept for 30 days, then deleted; short-lived server-side log buffers are overwritten on a rolling basis.
- Backups — retained for up to 10 days on a rolling basis, after which they are overwritten in the normal course.
- Billing and accounting records — kept for the retention periods we are required to observe under German tax and commercial law (in particular §§ 147 AO and 257 HGB), which run up to ten years. We keep these records for that period even after you close your account, because we are legally required to do so (Article 17(3)(b) GDPR).
The retention period for feedback submitted through a widget or public board is set by the organisation that installed justsayin and is governed by our Data Processing Agreement, not this policy.
7. Your rights
You have the following rights over the personal data we hold about you:
- Access — to obtain confirmation of whether we process your data, and a copy of it (Article 15 GDPR).
- Rectification — to have inaccurate or incomplete data corrected (Article 16 GDPR).
- Erasure — to have your data deleted where the conditions are met (Article 17 GDPR).
- Restriction — to have our processing of your data restricted in certain cases (Article 18 GDPR).
- Data portability — to receive the data you provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible (Article 20 GDPR).
- Objection — to object, on grounds relating to your particular situation, to processing we carry out on the basis of our legitimate interests (Article 21 GDPR).
You can exercise these rights at any time by contacting us at privacy@justsayin.io. You can also update your account details and permanently delete your account directly in your account settings. To protect your data, we may need to verify your identity before acting on a request.
If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a data protection supervisory authority — for us, the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI) — or with the authority in your country of residence or work.
8. Security
We take appropriate technical and organisational measures to protect your personal data and to safeguard its confidentiality, integrity, and availability (Article 32 GDPR). In particular, connections to our service are encrypted in transit (TLS), the personal data we store is encrypted at rest with our hosting and storage providers, our data is hosted on servers located in the European Union, and we minimise the personal data contained in our technical logs.
The technical and organisational measures that apply to feedback processed on behalf of the organisations that installed justsayin are set out in our Data Processing Agreement.
9. Changes to this policy
We may update this Privacy Policy from time to time — for example, to reflect changes to our service, our service providers, or legal requirements. The “last updated” date at the top of this policy always shows the current version. Where a change is material, we will take reasonable steps to bring it to your attention before it takes effect, for example by email or through the service.
10. How to contact us
If you have any questions about this policy or about how we handle your personal data, or if you wish to exercise your rights, you can contact us at:
Unendlich UG (haftungsbeschränkt), Rotherstraße 24, 10245 Berlin, Germany. Email: privacy@justsayin.io.
You also have the right to contact, or lodge a complaint with, a data protection supervisory authority, as described in Section 7.