All data is collected directly from our customers and users, we do not collect any data from any other sources.

Data is stored in a secure data center with many layers of security, more information available in our Technical Description and Release Management Process Policy, IT Policy, IT Incident Policy and Information Risk Management documentation.

Personal data is never shared with a third party unless there is a very specific reason for it. All those use cases are defined in our GDPR compliance document.

Given the limited Personally Identifiable Information (PII) we store there's a low risk for the individual to have sensitive data exposed. Given that our users can input certain text data there's a risk that the user inputs sensitive data themselves, so we always use industry best practices to keep all our data as secure as possible.

We store data as long as required by our customers. If any individual user doesn't need an account with us we anonymize any structured PII that we have stored within a reasonable time frame. All users can contact us at anytime and ask for the data we store about them (which is limited, see the overview section for details).

Our customers are companies and our users have some relationship with that company (typically employees). All users can see the data that is stored of them, which is very limited, and how we use data is obvious to all our users.

Any additional data fields we add to our system goes through an impact analysis. All data we store has a very specific purpose and we minimize the types of data we store.