Privacy policy

Written By Bruno from Featurebase

Last updated 5 months ago

1. Introduction and Scope

CORDNET OÜ (registry code: 14748498), a company incorporated under Estonian law with its registered office at Kaluri tee 4-32, Haabneeme alevik, Viimsi vald, Harju maakond, 74001, Estonia ("FeatureBase," "we," "us," or "our"), operates the feedback management and customer support platform accessible at https://www.featurebase.app and related services.

This Privacy Policy ("Policy") describes our practices regarding the collection, processing, storage, and protection of personal data when you use our website, platform, mobile applications, and associated services (collectively, the "Services"). By accessing or using our Services, you acknowledge that you have read and understood this Policy.

1.1 Regulatory Framework

As an Estonian company, we comply with:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")

  • Estonian Personal Data Protection Act ("PDPA") and Personal Data Protection Implementation Act

  • Directive 2002/58/EC on Privacy and Electronic Communications (as amended)

  • Applicable data protection laws in jurisdictions where our customers operate

1.2 Incorporation by Reference

This Policy should be read in conjunction with:

Where a signed Data Processing Agreement exists between FeatureBase and a customer organization, the terms of that agreement shall prevail regarding the processing of customer data.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ('data subject'), including but not limited to names, email addresses, IP addresses, and behavioral data, as defined under GDPR Article 4(1).

"Processing" means any operation performed on personal data, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

"Controller" means the entity that determines the purposes and means of processing personal data.

"Processor" means the entity that processes personal data on behalf of the controller.

"Customer Data" means personal data that our business customers submit, store, or process using our Services while acting as data controllers.

"Service Data" means operational and technical data we collect independently to maintain, secure, and improve our Services.

3. Data Controller Information

Data Controller: CORDNET OÜ
Business Registry Code: 14748498
Registered Address: Kaluri tee 4-32, Haabneeme alevik, Viimsi vald, Harju maakond, 74001, Estonia
Email: support@featurebase.app
Data Protection Contact: support@featurebase.app

4. Categories of Personal Data We Process

4.1 Information You Provide Directly

When you register, subscribe, or interact with our Services, you may provide:

  • Account Information: Name, email address, company name, job title

  • Authentication Data: Passwords (hashed), SSO tokens, multi-factor authentication settings

  • Payment Information: Billing address, VAT number (payment card details are processed solely by our PCI-DSS compliant payment processors)

  • Communication Data: Support tickets, feedback submissions, survey responses, chat messages

  • User-Generated Content: Feature requests, bug reports, comments, votes, roadmap contributions

4.2 Information We Collect Automatically

When you use our Services, we automatically collect:

  • Technical Data: IP address (for security and approximate geolocation), browser type and version, device identifiers, operating system

  • Usage Data: Pages visited, features accessed, click patterns, session duration, error logs

  • Integration Data: Information from connected third-party services (GitHub, Slack, Jira, Linear, Intercom) as authorized by you

  • Performance Data: Application response times, API usage, system health metrics

4.3 Information from Third Parties

We may receive information about you from:

  • Your Organization: When your employer or client provides us with your business contact information

  • Integration Partners: When you connect third-party services to FeatureBase

  • Publicly Available Sources: Professional information from public profiles for B2B communication

4.4 Special Categories of Data

We do not intentionally collect special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). If such data is inadvertently provided through user-generated content, we will delete it upon discovery.

5. Legal Bases for Processing

We process personal data only when we have a valid legal basis under GDPR Article 6:

5.1 Contract Performance (Article 6(1)(b))

  • Providing and maintaining your account

  • Processing transactions and billing

  • Delivering core platform functionality

  • Responding to support requests

5.2 Legitimate Interests (Article 6(1)(f))

We rely on legitimate interests for:

  • Improving Service performance and user experience

  • Preventing fraud and ensuring platform security

  • Sending service-related communications

  • Aggregated analytics and product development

  • Enforcing our Terms of Service

We have conducted legitimate interest assessments for these activities and determined that our interests do not override your fundamental rights and freedoms.

5.3 Legal Obligations (Article 6(1)(c))

  • Complying with Estonian tax and accounting requirements

  • Responding to lawful requests from authorities

  • Maintaining records as required by law

  • Anti-money laundering and sanctions compliance

5.4 Consent (Article 6(1)(a))

  • Marketing communications (you may withdraw consent at any time)

  • Optional features requiring additional data processing

  • Non-essential cookies and analytics tools

5.5 Vital Interests (Article 6(1)(d))

In rare circumstances, we may process data to protect someone's life or physical integrity.

6. Purposes of Processing

We process personal data for the following purposes:

6.1 Service Delivery

  • Create and manage user accounts

  • Facilitate feedback collection and management

  • Enable voting, commenting, and collaboration features

  • Provide customer support and help center functionality

  • Process and display product roadmaps and changelogs

6.2 Platform Operations

  • Authenticate users and manage access controls

  • Process payments and maintain billing records

  • Send transactional emails and in-app notifications

  • Integrate with third-party tools and services

  • Generate reports and analytics for customers

6.3 Improvements and Innovation

  • Analyze usage patterns to enhance features

  • Develop new functionalities based on user needs

  • Optimize performance and user interface

  • Conduct A/B testing and user research (with consent)

  • Train and improve our AI-powered features (using aggregated data)

6.4 Security and Compliance

  • Detect and prevent fraudulent activities

  • Monitor for abuse and Terms of Service violations

  • Respond to legal requests and protect our legal rights

  • Maintain audit logs for security purposes

  • Ensure data integrity and system availability

6.5 Communication

  • Send service updates and maintenance notifications

  • Provide customer support responses

  • Deliver marketing communications (with consent)

  • Share product announcements and educational content

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law:

7.1 Retention Periods

Data Category Retention Period Justification

Active Account Data

Duration of account + 30 days

Service provision

Deleted Account Data

90 days after deletion request

Recovery period and legal obligations

Payment Records

7 years

Estonian accounting law

Security Logs

1 year

Security and audit requirements

Marketing Consent Records

3 years after withdrawal

Demonstrate compliance

Support Tickets

2 years after resolution

Service improvement and legal defense

Aggregated Analytics

Indefinite (anonymized)

Product development

7.2 Data Deletion

Upon expiration of retention periods, personal data is either:

  • Permanently deleted from our systems

  • Anonymized beyond possibility of re-identification

  • Transferred to archival storage (only where legally required)

8. Data Sharing and Disclosure

8.1 We Do Not Sell Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

8.2 Service Providers and Sub-processors

We share personal data with carefully selected service providers who assist us in operating our Services:

All sub-processors are bound by contractual obligations consistent with GDPR requirements. Our current list of sub-processors is available at: https://help.featurebase.app/articles/2733677-subprocessors

8.3 Legal Disclosures

We may disclose personal data when required by law or when we believe in good faith that disclosure is necessary to:

  • Comply with legal obligations, court orders, or government requests

  • Protect and defend our rights or property

  • Prevent fraud or protect against security threats

  • Protect the safety of any person

Unless legally prohibited, we will notify affected users of such disclosures.

8.4 Business Transfers

If FeatureBase undergoes a merger, acquisition, or sale of assets, personal data may be transferred as part of the transaction. We will notify you via email and prominent notice on our Services before your personal data becomes subject to a different privacy policy.

9. International Data Transfers

9.1 Primary Data Location

We store and process data primarily within the European Union (Germany-based servers). This ensures that most data processing occurs within the EEA, benefiting from GDPR protections.

9.2 Transfers Outside the EEA

When we transfer personal data outside the EEA (for example, to sub-processors in the United States), we ensure appropriate safeguards:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs (Commission Implementing Decision 2021/914)

  • Adequacy Decisions: Where available, we rely on adequacy decisions by the European Commission

  • Supplementary Measures: We implement additional technical and organizational measures as required by the Schrems II decision

9.3 Transfer Impact Assessments

We conduct transfer impact assessments for all international data transfers to ensure that the level of protection guaranteed by the GDPR is not undermined.

10. Data Security

10.1 Technical and Organizational Measures

We implement appropriate security measures to protect personal data against unauthorized access, alteration, disclosure, or destruction:

Technical Measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)

  • Multi-factor authentication for administrative access

  • Regular security updates and patch management

  • Web Application Firewall (WAF) and DDoS protection

  • Secure development practices and code reviews

  • Regular penetration testing and vulnerability assessments

Organizational Measures:

  • Access controls based on least privilege principle

  • Confidentiality agreements with all staff

  • Regular security training for employees

  • Incident response procedures

  • Business continuity and disaster recovery planning

  • Vendor security assessments

10.2 Data Breach Response

In the event of a personal data breach, we will:

  • Notify the Estonian Data Protection Inspectorate within 72 hours (where feasible)

  • Notify affected data subjects without undue delay if the breach poses high risk to their rights

  • Document all breaches in our internal register

  • Take immediate steps to mitigate harm and prevent recurrence

11. Your Rights Under GDPR

As a data subject, you have the following rights regarding your personal data:

11.1 Right of Access (Article 15)

Request confirmation of whether we process your personal data and obtain a copy of such data.

11.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

11.3 Right to Erasure (Article 17)

Request deletion of your personal data ("right to be forgotten") under certain circumstances.

11.4 Right to Restriction (Article 18)

Request that we limit the processing of your personal data in specific situations.

11.5 Right to Data Portability (Article 20)

Receive your personal data in a structured, commonly used, and machine-readable format.

11.6 Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing purposes.

11.7 Rights Related to Automated Decision-Making (Article 22)

Not be subject to solely automated decision-making that produces legal or significant effects. Note: We do not currently engage in such automated decision-making.

11.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

11.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at support@featurebase.app. We will respond to your request within 30 days, or inform you if an extension is necessary (up to 60 additional days for complex requests).

We may request proof of identity to protect your privacy. We will not charge a fee unless requests are manifestly unfounded or excessive.

12. Cookies and Tracking Technologies

12.1 Types of Cookies We Use

Essential Cookies: Required for core functionality (authentication, security, user preferences)

  • Legal basis: Legitimate interests

  • Cannot be disabled

Analytics Cookies: Help us understand Service usage and improve performance

  • Legal basis: Consent

  • Can be managed through Cookie Settings

Marketing Cookies: Used to measure advertising effectiveness (not for behavioral advertising)

  • Legal basis: Consent

  • Can be disabled entirely

12.2 Cookie Management

You can manage your cookie preferences:

  • Through our Cookie Settings panel (available in footer)

  • Via your browser settings

  • Using browser extensions that block tracking

For detailed information, please see our Cookie Policy at https://www.featurebase.app/cookie-policy.

12.3 Do Not Track Signals

We respect browser "Do Not Track" signals and Global Privacy Control (GPC) settings by automatically disabling non-essential cookies when detected.

13. Children's Privacy

Our Services are not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected such data, we will promptly delete it.

Parents or guardians who believe we may have collected information from their child should contact us immediately at support@featurebase.app.

14. Third-Party Links and Integrations

Our Services may contain links to third-party websites and integrate with third-party services (GitHub, Slack, Jira, etc.). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing personal data.

When you connect third-party services, you explicitly authorize the data sharing described in the integration setup process.

15. Data Processing Agreements

15.1 When FeatureBase is a Processor

For business customers, we act as a data processor for Customer Data. Our standard Data Processing Agreement (DPA) is available at https://www.featurebase.app/data-processing-agreement and includes:

  • Detailed processing instructions

  • Security obligations

  • Sub-processor management

  • Assistance with GDPR compliance

  • Audit rights

15.2 When FeatureBase is a Controller

We act as a data controller for:

  • Account registration and billing information

  • Service Data and analytics

  • Marketing communications

  • Website visitor data

16. Privacy by Design and Default

We implement privacy by design principles:

  • Data Minimization: We collect only data necessary for specified purposes

  • Purpose Limitation: We don't use data beyond stated purposes without consent

  • Privacy Defaults: New accounts have privacy-friendly default settings

  • Transparency: Clear information about data processing in user interfaces

  • User Control: Easy-to-use privacy settings and data management tools

17. Accountability and Compliance

17.1 Records of Processing Activities

We maintain detailed records of our processing activities as required by GDPR Article 30, including:

  • Purposes of processing

  • Categories of data subjects and personal data

  • Recipients of personal data

  • International transfers

  • Retention periods

  • Security measures

17.2 Privacy Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing operations likely to result in high risk to data subjects' rights and freedoms.

17.3 Cooperation with Supervisory Authorities

We cooperate fully with the Estonian Data Protection Inspectorate and other relevant supervisory authorities.

18. Updates to This Policy

We may update this Policy to reflect changes in our practices, legal requirements, or Service features. We will notify you of material changes through:

  • Email notification to registered users

  • Prominent notice on our website

  • In-app notifications

The "Effective Date" at the top of this Policy indicates when it was last revised. Your continued use of our Services after changes take effect constitutes acceptance of the updated Policy.

For material changes that affect your rights or our processing purposes, we will provide at least 30 days' advance notice.

19. Contact Information and Complaints

19.1 Contact Us

For privacy-related questions, requests, or concerns:

Email: support@featurebase.app
Postal Address:
CORDNET OÜ
Kaluri tee 4-32
Haabneeme alevik, Viimsi vald
Harju maakond, 74001
Estonia

19.2 Response Times

We aim to respond to all privacy requests within:

  • General inquiries: 5 business days

  • Rights exercises: 30 days (as required by GDPR)

  • Data breach notifications: Immediately

19.3 Supervisory Authority

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority, in particular:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Tatari 39
10134 Tallinn
Estonia
Email: info@aki.ee
Phone: +372 627 4135
Website: https://www.aki.ee

You may also contact the supervisory authority in your country of residence.

20. Language

This Policy is provided in English. In case of translations into other languages, the English version shall prevail in case of any discrepancies.

21. Severability

If any provision of this Policy is found to be unenforceable or invalid under applicable law, only that provision will be limited or eliminated to the minimum extent necessary, and the remaining provisions will continue in full force and effect.

22. Entire Agreement

This Privacy Policy, together with our Terms of Service and any applicable Data Processing Agreement, constitutes the entire agreement between you and FeatureBase regarding the processing of personal data in connection with our Services.