Privacy Policy

Last updated: May 19, 2026

Your data is your data, not ours. This policy explains what we collect, why we collect it, how it's handled, and your rights. We never sell your personal data — and we never will.

This policy covers Votiez itself — the dashboard you use to manage your project, and the public boards, roadmaps, and changelogs we host for you. It does not separately govern the end users who submit feedback to a board you've created; for that, we act as a data processor on your behalf, and you are responsible for telling your end users how their submissions are handled in your own product's privacy policy.

What we collect and why

Our guiding principle is to collect only what we need to run the Service. Here's what that means in practice.

Identity and account information

When you sign up, we collect your email address, name, and (optionally) a profile picture. Authentication is handled by Clerk, which stores your credentials and session tokens on our behalf. We use this information to identify your account, send you essential product emails, and personalize the app.

Project and feedback content

When you create a project on Votiez, we store the project's name, logo, brand colors, subdomain, the feedback posts you and your users submit, votes, comments, roadmap entries, and changelog entries. This content lives in our database for as long as your account is active so the Service can function as intended.

Billing information

If you upgrade to a paid plan, your payment is processed by Polar. Card numbers go directly to Polar and never touch our servers. We store a record of the transaction — Polar customer ID, subscription ID, plan, status, billing period — so we can invoice you, apply the correct plan limits, and resolve billing questions.

Email correspondence

If you email us or submit a support request, we keep the message, including your email address, so we have a record if you reach out again.

Server logs

Our hosting provider (Railway) and database provider (Convex) keep short-lived operational logs that may include IP addresses, request paths, and timestamps. We use these only for debugging, security monitoring, and abuse prevention.

Cookies

We use a small number of strictly-necessary cookies (set by Clerk) to keep you signed in. We do not currently run third-party analytics or advertising cookies. If we add analytics in the future, we will update this policy and — where required by law — present a cookie consent notice before any non-essential cookie is set.

Sub-processors we rely on

Votiez is built on top of a small number of trusted infrastructure providers. Each one processes a specific category of data on our behalf:

  • Clerk — authentication, session management, and account profile. Stores your email, name, and password hash.
  • Convex — our application database. Stores your projects, feedback posts, votes, comments, roadmaps, and changelogs. Hosted in the United States.
  • Polar — payment processing and subscription management. Stores billing details, including card information we never see.
  • Resend — transactional email delivery (invitations, billing notices, account notifications). Processes the recipient email address and message content.
  • Railway — hosting for the Votiez web application.

If we add or change a sub-processor, we'll update this list and refresh the date at the top of this page.

When we access or disclose your information

To provide the Service. We share the categories of data described above with the sub-processors listed above, strictly to operate Votiez on your behalf.

With your permission. If you publish a public feedback board, the content of that board (titles, descriptions, comments, vote counts, public author names) is visible to anyone with the link. That's the intended behavior — but it's worth being explicit about it.

To help with support. If you ask us to help with an issue, we may need to look at your account to investigate. We try to minimize what we look at and avoid accessing content unless necessary.

To investigate abuse or threats. If we have a good reason to believe an account is being used to harass others, distribute malware, host illegal content, or compromise the Service, we may access logs or content as part of that investigation.

When required by law. If we receive a valid legal request from a competent authority, we will comply to the extent required. Where it is legal to do so, we will notify the affected account before disclosing data.

Aggregated / de-identified data. We may use aggregated or de-identified data (for example, "X% of accounts have at least one active feedback board") for product analytics or marketing. This data cannot be traced back to an individual.

Business transfer. If Votiez is ever acquired by or merged with another company, we'll notify you before any personal information is transferred or becomes subject to a different privacy policy.

Your rights

We aim to honor the same data rights for everyone, regardless of where you live. Some of these are required of us by the EU/UK General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA); others are simply how we think people should be treated.

  • Right to know and access — you can ask us what personal information we hold about you and get a copy.
  • Right to correction — you can update most of your profile information directly from your account settings, or ask us to do it.
  • Right to deletion / erasure — you can delete your account from the dashboard, or email us to do it for you. Some information (for example, invoices required for tax compliance) may be retained for the minimum period the law requires.
  • Right to data portability — you can request an export of your account data in a machine-readable format by emailing privacy@votiez.com. We'll provide it within 30 days.
  • Right to object / restrict processing — you can ask us to stop processing your data for certain purposes (for example, optional product emails).
  • Right to lodge a complaint — if you're in the EU or UK, you have the right to complain to your local data protection authority.
  • Right to non-discrimination — we won't charge you more or give you a worse Service for exercising any of these rights.

To exercise any of these rights, email us at privacy@votiez.com from the email address on file. We may need to verify your identity before we can act on a request.

How we secure your data

All traffic to and from Votiez is encrypted in transit using TLS. Our database (Convex) encrypts data at rest, and backups are encrypted as well. Authentication is handled by Clerk, which is independently audited (SOC 2 Type II) and follows industry-standard password and session-token practices.

No system is perfectly secure. If you discover a vulnerability, please report it to privacy@votiez.com so we can fix it.

What happens when you delete content or your account

When you delete a feedback post, comment, project, or other item from within Votiez, it's removed from the application immediately. Copies may remain in our database backups for up to 30 additional days before they are overwritten.

When you delete your account, your projects, feedback, comments, and profile information are scheduled for deletion. They will be inaccessible to you immediately, removed from our active systems within 60 days, and removed from backups within an additional 30 days. After that period, recovery is not possible.

Data retention

We keep your information for as long as your account is active, plus the deletion windows described above. Billing records and tax-relevant information may be retained longer where required by law (typically up to 5–10 years, depending on jurisdiction). Operational logs are retained for a short period — typically 30 days — and then discarded.

Where your data is stored

Votiez is operated from Vietnam, but the data is processed and stored primarily on infrastructure located in the United States (Convex, Clerk) and other regions chosen by our sub-processors (for example, Polar and Resend). By using Votiez, you understand that your data may be transferred to and processed in countries other than the one you live in.

International transfers

If you are located in the EU, UK, or another jurisdiction that restricts cross-border data transfers, the legal basis for transferring your data to the United States and other regions is either your consent to use the Service, our legitimate interest in providing it to you, or the Standard Contractual Clauses that our sub-processors maintain. Where the EU or UK GDPR applies, you may request a Data Processing Addendum by emailing privacy@votiez.com.

Changes and questions

We may update this policy as the Service evolves or as the law requires. We'll update the "Last updated" date at the top of this page, and for material changes we'll email account holders.

If you have any questions, requests, or concerns about your data or this policy, please email us at privacy@votiez.com. For general support, write to support@votiez.com. You can also read our Terms of Service.