Inline Feedback - Visual feedback directly on your site

Inline Feedback and GDPR

The GDPR regulation can be reduced to 10 important points. For each point, we explain how Inline Feedback handles its compliance. If we did not answer your questions in this article, you can still drop us a chat or email.

Also, please note that all Inline Feedback data processor providers have been checked to be all GDPR-compliant (Stripe).

1. Awareness

All employees responsible for software development & infrastructure maintenance of Inline Feedback are fully aware of the GDPR requirements.

Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Inline Feedback employee, even if aware of GDPR requirements (this plays as a double human safety check).

2. Information we hold

Inline Feedback stores data on 2 kinds of parties:

Our customers
Our customers end-users (ie. the users of our customers)

2.1. Information held on our users

Inline Feedback collects account information for each user (we refer to them as customers in this article), including:

User first and last name, email, and profile picture
User payment details (includes invoicing information, eg. company address and country — the credit card number is stored by Stripe)
Browsed pages on the Controller’s website and referring URL
- date and time of visits to the Controller’s website
- technical information as screen resolution, operating system, browser type and device type
- geolocation data (country and city)
- IP address

2.2. Information held on our users’ end-users

Information held on our users’ end-users include:

End-user email address (if provided by end-user, thus involving a consent)
End-user message exchanges on the Inline Feedback platform
End-user last activity date and time
End-user profile information (resolved from public data shared by end-user on the Internet, see notice below)
Browsed pages on the Controller’s website and referring URL
- date and time of visits to the Controller’s website
- technical information as screen resolution, operating system, browser type and device type
- geolocation data (country and city)
- IP address

Inline Feedback resolves end-user identity information (first and last name, avatar, company) from external APIs. Those external APIs sources from public information that the end-user consented to share on a third-party service (eg. on social networks such as LinkedIn or Twitter). This end-user identity information is stored on Inline Feedback services, for as long as the Inline Feedback customer wishes them to be stored in their Inline Feedback CRM database.

The information help on our users’ end-users is solely the responsibility of our users (ie. the individual websites using Inline Feedback). It is the responsibility of our users to manage the data they hold in the Inline Feedback platform, ie. to remove sensitive data if someone may happen to share it with them (eg. Social Security Numbers, etc.). It is our responsibility to secure access to this data (ie. only website operators can access it and have a right to rectification and deletion).

3. Communicating privacy information

Inline Feedback customers end-users privacy terms are the sole responsibility of Inline Feedback customers. They should be announced on Inline Feedback customers website.

4. Individuals right

Right to be informed
Right of access: our users can access all their data
Right of rectification
Right of erasure
Right to restrict processing
Right to data portability
Right to object
Right not to be subject to automated decision-making including profiling

5. Subject access requests

Inline Feedback responds to all access requests (whether granted or denied) within one month. Where possible, we aim to respond within one week.

We offer this free of charge for our customers (paid and free).

6. Lawful basis for processing personal data

Inline Feedback stores user data involving a consent (ie. a conversation both parties entered by will, and exchanged eg. emails).

It is the customer’s responsibility to ensure that any personal data submitted to or processed through Inline Feedback is collected and used lawfully. For example, if a customer collects email addresses through Inline Feedback and later uses them for marketing purposes (whether within Inline Feedback or via an external system), the customer must have a valid legal basis to do so, such as obtaining the user’s consent where required.

7. Consent

Consent is provided by our users explicitly when proceeding an action or task (eg. when they provide user data).

Inline Feedback allows its customers to submit user data in an automated way, via a frontend JavaScript API and backend REST API. This data must have been provided by the customer user in a consensual way, as it will get propagated to Inline Feedback in an automatic way (if the customer implemented such API in their source code).

8. Children

Inline Feedback does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identified it as relevant to control the age of users signing up for services.

Children might still be able to use the Inline Feedback services, from the website or apps of a customer. To this extent, the Inline Feedback customer is responsible for checking against their own users and activities regarding children regulations.

9. Data breaches

Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. From the start in 2026, Inline Feedback has had 0 major security issues.

Here are a few measures we took to reduce any attack surface:

Aggressive use of firewalls and network isolation in our infrastructure
No access to our server systems is allowed from the public Internet, trusted administrators from the Inline Feebdack team need to connect via a trusted VPN network
We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued
Use of 2-Factor-Authentication on all our sensitive accounts (eg. hosting provider, etc.)
Isolate data stores and sensitive backends on different servers
All platform backups are encrypted using AES-256 (via OpenSSL), stored privately, and retained for a maximum of 1 month.

The points listed above help reduce the probability of a major data breach occurring.

10. Data Protection by Design and Data Protection Impact Assessments

Whenever Inline Feedback develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and the second goal to protect the user data that’s being stored and used by that system.

Changes to this GDPR Notice

We may update this GDPR notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify customers at least 30 days before the changes take effect (for example via email and/or an in-app notice). What constitutes a material change will be determined at our sole discretion.

By continuing to access or use the Service after the changes become effective, you acknowledge the updated GDPR notice. If you do not agree with the updated notice, you should stop using the Service.

Contact Us

If you have any questions about this GDPR notice, please contact us at support@inline-feedback.com .

This notice was last updated on 03.03.2026.