Data Processing Addendum (DPA)
Effective date: 01.01.2026. Version 1.3.
Provider
BSP LAB, obrt za ostalo računalno programiranje, vl. Bruno Sebastian Penzar
ULICA ĐURE CRNATKA 24, 10000 ZAGREB, Croatia
OIB: 00357376233
Contact: privacy@bsp-lab.dev
1) Roles
You are the controller. BSP LAB is the processor.
2) Processor instructions
We process personal data only on documented instructions from the controller.
3) Subject matter & duration
Processing of feedback responses and related metadata for the duration of your account and until deletion request (plus backup retention up to 30 days).
4) Nature & purpose
- collect and store feedback responses
- provide analytics and exports
- ensure security and abuse prevention
5) Categories of data
- feedback content (text, ratings, selections)
- timestamps
- location labels
- IP hash
- user-agent hash
6) Subprocessors
- Vercel (hosting)
- Supabase (database/auth)
- Cloudflare (DNS/network)
- Google (Gmail support communications)
7) Subprocessor updates
We may update or replace subprocessors. We will provide notice of material changes to our subprocessors, for example via the Service or by email.
8) Security measures
- access control and least-privilege permissions
- encryption in transit (TLS)
- secure hosting environments
9) Data subject rights
We will assist you in fulfilling data subject requests to the extent required by law and feasible.
10) Breach notification
We will notify the controller without undue delay after becoming aware of a personal data breach.
11) Deletion or return
Upon account deletion or request, we will delete data unless retention is required by law. Backup retention up to 30 days.
12) International transfers
If data is transferred outside the EEA, we rely on SCCs or other lawful safeguards from our subprocessors.
13) Audits
You may request information about our security measures. Formal audits may be provided where reasonable.