SURWAY'R
Privacy Policy
Document ID: SURWAYR-PP-v1.0
Effective date: 28 March 2026
Last reviewed: 28 March 2026
Version history: 1.0 — Initial release
Hungarian original (HU): Download the authoritative PDF (HU)
Data controller identification
| Field | Value |
|---|---|
| Company name | Devtronics Kft. (DEVTRONICS IT Ltd.) |
| Registered office | 1174 Budapest, Baross utca 69., Hungary |
| Tax ID | 23398403-2-42 |
| Representative | Edina Balogh-Molnár, managing director |
| Contact email | legal@surwayr.com |
| Data Protection Officer (DPO) | Not appointed — see below |
DPO status (GDPR Art. 37): SURWAY’R is not required to appoint a DPO under GDPR Art. 37(1). The platform does not carry out large-scale, regular and systematic monitoring of natural persons [37(1)(b)], nor large-scale processing of special categories of data [37(1)(c)]; a public authority does not require it [37(1)(a)]. This assessment is reviewed annually (especially if scope, data types, or number of data subjects change materially). The assessment is documented in internal legal records. For privacy matters, contact privacy@surwayr.com.
1. Introduction and scope
SURWAY’R (hereinafter: “Provider” or “we”) is committed to protecting personal data. This notice describes what data we collect through surwayr.com and our applications, for what purposes and on what legal bases we process it, with whom we share it, how long we retain it, and what rights data subjects have.
This notice applies to the Provider as controller. SURWAY’R Users (researchers, organisations) are independent controllers for respondent data collected through their surveys; the Data Processing Agreement (DPA) governs their obligations.
This notice also applies to: - Visitors to the Website and Service (without a registered account) - Persons we contact or who contact us in connection with the Service (e.g. disputes, support correspondence) - Professionals involved in developing and operating the Service (subcontractors, consultants)
2. Categories of data collected
2.1 Account data
- Name, email address, password (hashed) — only for password-based registration or if you later set a password; Sign in with Google (OAuth 2.0) does not transmit your password to the Provider.
- If you use Sign in with Google, Google LLC (or the Google entity applicable in your region) identifies you during the OAuth / OpenID Connect flow; the Provider creates or admits your account based on a successfully verified identity. Data typically received from Google includes an internal subject identifier (
sub), a verified email address, name, and — if supplied by Google — a profile picture URL; processing is for contract performance (sign-in, account management), with consent aligned to the accepted Terms and Privacy Policy version for new registrations. - Organisation / company name (optional)
- Billing details (name, billing address — card data is stored only by Stripe)
- Preferences and settings stored in the account
- A one-way hash (SHA-256 hex) of the normalised email address, stored separately, for abuse prevention and enforcing trial rules / service limits (including trial eligibility); the “trial consumed” flag is recorded only after Stripe has confirmed a
trialingsubscription (not merely opening Checkout). Technical metadata may also be stored with the hash (first-seen timestamp, last active state, trial period start/end dates) solely to enforce trial abuse and service limits.
2.2 Usage and technical data
- IP address, browser type, operating system
- Session cookies, sign-in timestamps
- In-app activity logs (e.g. survey creation, export)
- Error reports and performance data
2.3 Survey content (indirect processing)
- Structure of surveys designed by Users
- Responses collected through Users’ surveys — processed by the Provider as processor; the User exercises controller rights over the data.
3. Purposes and legal bases (GDPR Art. 6)
| Purpose | Data | Legal basis | GDPR article |
|---|---|---|---|
| Account creation and authentication | Account data | Contract | 6(1)(b) |
| Subscription and billing | Account and billing data | Contract | 6(1)(b) |
| Support and troubleshooting | Account data, logs | Contract | 6(1)(b) |
| Security incidents | Logs, IP | Legitimate interests | 6(1)(f) |
| Product development and analytics | Aggregated usage data | Legitimate interests | 6(1)(f) |
| Legal obligations | Billing data, logs | Legal obligation | 6(1)(c) |
| Direct marketing (if consented) | Consent | 6(1)(a) | |
| Storing survey responses | Survey content | Contract (as processor) | 6(1)(b) |
| Consent event logging | IP address, user-agent, acceptance time, document version | Legitimate interests | 6(1)(f) |
| Abuse prevention, trial and service limits | One-way hash of normalised email, trial “consumed” flag | Legitimate interests | 6(1)(f) |
Legitimate interests balancing: The Provider documents a legitimate interest assessment (LIA) under GDPR Art. 6(1)(f). Users may request information at privacy@surwayr.com.
Consent log and legitimate interest: The IP address and user-agent recorded at registration and when accepting documents are personal data (GDPR Art. 4(1)). Their processing is based on the Provider’s legitimate interest (GDPR 6(1)(f)): provable consent, compliance with legal obligations, and ability to defend disputes. Under the LIA, this interest is proportionate and necessary because the data set is minimal, the purpose is legal provability, and clear information can be given at acceptance.
4. Transfers and processors
4.1 Processor list (summary)
The full up-to-date list is in the Subprocessor List.
| Processor | Activity | Location |
|---|---|---|
| Hetzner Online GmbH | Infrastructure, hosting | Germany (EU) |
| Stripe Ireland Limited | Payment processing | Ireland (EU) |
| Resend Inc. | Transactional email | USA (non-EEA) |
| Google LLC / Google Ireland Limited | OAuth 2.0 Sign in with Google (identity, email, name) | USA / Ireland (see Google DPA) |
| Google LLC (Gemini API) | AI analysis (optional, Gemini model) | USA (non-EEA) |
| Groq, Inc. | AI analysis (optional, LLM inference) | USA (non-EEA) |
4.2 Transfers to third countries (SCC)
Transfers outside the EEA (in particular to the USA) rely on the European Commission Standard Contractual Clauses (SCCs) under Implementing Decision 2021/914/EU — General Contractual Clauses. They are included in our contracts with processors.
Modules used: - Module 2 (Controller → Processor): Resend, Google LLC (Gemini), Groq - Module 1 (Controller → Controller): not applicable in the current architecture
Upon request, we provide copies of the relevant SCCs (privacy@surwayr.com).
Transfer Impact Assessment (TIA): TIAs for transfers to the USA are documented in our internal legal records. For Google Gemini and Groq APIs, survey content is sent to the AI APIs in minimal, aggregated form; we do not transfer personal identifiers.
Note on analytics: The Provider currently does not use third-party analytics (e.g. Google Analytics). If introduced in the future, we will update the Privacy Policy at least 30 days in advance and add the relevant processor to the table above.
5. Cookies and tracking
Details are in the Cookie Policy (SURWAYR-CP-v1.1).
Current state: SURWAY’R only places technically necessary cookies. We do not use analytics, tracking, or marketing cookies.
| Cookie type | Legal basis | Withdrawal |
|---|---|---|
| Session cookies (essential) | Contract (6(1)(b)) / legitimate interest (6(1)(f)) | Not withdrawable (required for operation) |
| Payment cookies (Stripe — only during checkout) | Contract (6(1)(b)) | No (required for payment) |
Analytics cookies: Not in use. If introduced in the future, we will do so only with explicit prior consent (GDPR 6(1)(a)) and update this notice at least 30 days in advance.
6. Retention periods
| Category | Retention | Reason |
|---|---|---|
| Account (active user) | While account exists | Contract |
| Account (deleted) | For the configured retention period (default: not automatic deletion); if USER_HARD_DELETE_RETENTION_DAYS > 0, automatic hard deletion applies — generally 90 days. Before hard deletion, personal data is anonymised (surveys, responses, and invitations are de-linked from the user); anonymised business data is retained. |
Recovery, dispute handling; GDPR storage limitation |
| Billing records | 8 years | Hungarian accounting law |
| Security logs | 12 months | GDPR / security |
| Survey responses | As set by User; at most until account deletion + 90 days | Processor obligations |
| Backups | Up to 90 days, then deleted automatically | Operations / disaster recovery |
| Cookie consent logs | 3 years | ePrivacy Directive |
Consent audit logs (legal_consent_events table + legal.log) |
5 years from account termination | Contractual legitimate interest, limitation period (GDPR 6(1)(f) + civil law) |
6a. Consent logging and legal provability
The Provider maintains a tamper-resistant, append-only record of Users’ legal consents. The system has two layers:
Authoritative database (
legal_consent_eventstable): Each consent event (registration acceptance, cookie banner decision, etc.) is stored as a separate row. At database level, append-only protection enforced by a trigger prevents modification or deletion of recorded rows.Auditable log (
legal.log, hash chain): Alongside each database row, an entry is written to a JSON-line log file. Entries are protected by a SHA-256 hash chain: each row includes the previous row’s hash, so altering a row would invalidate the chain and be detectable on integrity review.
Data recorded for each consent event:
- Exact acceptance timestamp (UTC)
- Accepted document version numbers (e.g. ToS v1.1, PP v1.0)
- Consent mode (e.g. registration_self, cookie_banner)
- IP address (max. 64 characters)
- User-agent string (max. 512 characters)
- User identifier (if account exists)
- UI language (locale)
Retention: Consent audit logs are retained for 5 years from account termination, based on civil limitation periods and handling of potential disputes.
Legal basis: GDPR 6(1)(f) — legitimate interest (provability of contractual consent, defence in disputes).
Legal provability: Together, the append-only database trigger and hash-chained log file can demonstrate when and under what conditions the User consented and to which document versions (“Can you prove consent integrity?” — Yes: append-only DB trigger + hashed audit log + documented legal basis + retention policy.)
Integrity verification: The log file’s integrity can be verified at any time by recomputing the hash chain from all legal.log rows (SHA-256(prev_hash + payload_without_hash)) and comparing with stored _hash fields. Any change would be detectable. Verification logic is implemented in source code (verify_legal_log_chain).
Timestamp authenticity (clock source): Every consent event timestamp comes solely from the Provider’s server clock (datetime.now(timezone.utc) — server-side UTC); the system does not accept or record client-supplied times. The server clock runs on NTP-synchronised infrastructure (Hetzner).
7. Data subject rights
Under GDPR Chapter III, data subjects have the rights below. Procedures are detailed in the DSR Policy (SURWAYR-DSR-v1.0):
| Right | GDPR article | Response time |
|---|---|---|
| Access | Art. 15 | 30 days |
| Rectification | Art. 16 | 30 days |
| Erasure (“right to be forgotten”) | Art. 17 | 30 days |
| Restriction | Art. 18 | 30 days |
| Data portability | Art. 20 | 30 days |
| Object | Art. 21 | Immediate / 30 days |
| Not to be subject to automated decisions | Art. 22 | 30 days |
Requests: privacy@surwayr.com — please attach ID or authenticate via your sign-in email. Full procedure: DSR Policy (SURWAYR-DSR-v1.0).
Supervisory authority (GDPR Art. 77)
You may lodge a complaint with a supervisory authority, in particular in your habitual residence, workplace, or place of the alleged infringement.
Supervisory authority at the controller’s establishment:
National Authority for Data Protection and Freedom of Information (NAIH)
Address: 1055 Budapest, Falk Miksa utca 9–11.
Mailing: 1363 Budapest, P.O. Box 9.
Phone: +36 (1) 391-1400
Email: ugyfelszolgalat@naih.hu
Web: naih.hu
This does not affect your right to an effective judicial remedy against the controller (GDPR Art. 79). Both routes may be used.
If you do not live or work in Hungary, you may contact your Member State authority; list: edpb.europa.eu.
8. Security
We apply technical and organisational measures described in the Security Policy, including: - Encryption in transit (TLS 1.2+) and at rest (AES-256) - Two-factor authentication (2FA) for administrative access - Regular security reviews and penetration tests - Access control and role-based permissions (RBAC)
9. Children’s data
The Service is available only to natural persons aged 18+ and organisations (minors 16–18 with legal representative consent). If we learn we have stored data about a child under those rules, we delete it without delay. For Respondents, the User (controller) is responsible for compliance with rules on minors.
9a. Respondents’ data
If the User collects data from other persons (Respondents) through their surveys, the User is the controller for that data and the Provider is only a processor. The Data Processing Agreement (DPA) governs processing of Respondents’ data.
Respondents should contact the User who sent the survey for processing related to that User’s survey. The Provider acts only on behalf of the User and is not responsible for the User’s processing decisions. If a Respondent cannot identify whose survey they completed, contact us at privacy@surwayr.com and we will help identify the responsible controller.
9b. Updating personal data and commercial communication
The User may update the data we hold at any time in account settings or by written request to privacy@surwayr.com. Keeping data accurate is the User’s responsibility; they undertake to review the data we hold regularly.
Commercial communication: If you subscribed to our newsletter, you may unsubscribe at any time via the link at the bottom of emails or by notifying privacy@surwayr.com. Unsubscribing does not affect transactional emails (invoices, password reset, security alerts, feature notifications), which are necessary for contract performance.
Use of anonymised data: After we anonymise your data — so it can no longer be linked to you or another natural person — we may aggregate statistics and technical analyses for developing and optimising the Service and may publish the results.
10. Changes to this notice
For material changes, we notify Users at least 30 days before they take effect by email or in-app notice. The current version is always available at surwayr.com/privacy. If the User does not agree with a material change, their sole remedy is to delete their account and stop using the Service.