Privacy Policy

Last updated: July 9, 2026

This Policy describes how NPSLab ("we") handles the personal data of those who use our satisfaction survey platform (NPS/CSAT/CES), including the web dashboard and the NPSLab mobile app. By using the service, you agree to the practices described here.

1. Data controller

NPSLab is the controller of customer account data. For collected survey responses, the customer (the company creating the survey) is the controller and NPSLab acts as a processor, handling data under the customer’s instructions.

2. Data we collect

Account and contact data: name, email, password (stored hashed), phone when provided, organization, access role and user/account identifiers.

Organization and location data: company or store name, physical address, city, state, phone, email and operational preferences entered by the customer.

Survey responses and other user-generated content: NPS/CSAT/CES scores, choices, free-text comments and, when the respondent chooses to provide it, follow-up contact (name, email and/or phone). Respondent contact is optional.

Photos and images: images selected by the user for survey logos or backgrounds. The app may also save QR Codes to the device photo library when requested by the user; that action does not upload new personal photos to NPSLab.

Purchase and subscription data: subscription status, purchased plan/product, purchase history associated with the account, and customer, checkout, and subscription identifiers needed to process and validate purchases through Stripe, the App Store, or Google Play. For website purchases, Stripe may collect billing country, address, and tax identification when required. NPSLab does not receive full card or bank account details, which are handled by the payment provider.

Usage and device data: device type, operating system, language, push tokens, collection timestamps, technical app identifiers and kiosk/operator device identifiers, as well as interactions needed to operate and improve the product.

Diagnostics: crash logs, performance data, network errors and other technical diagnostic data collected for security, stability and troubleshooting.

3. How we use data

Operate the service: create and manage surveys, collect and display responses, compute metrics (NPS, distribution, store ranking).

Account authentication, account security and access control by organization and store.

Operational notifications configured by the customer.

Subscription processing, purchase validation, support, abuse prevention, product improvement and crash diagnostics.

4. Legal basis

We process data based on contract performance, legal obligations, legitimate interest to operate and improve the service and, where applicable, consent (e.g., when a respondent voluntarily provides contact details).

5. Sharing

We do not sell personal data and we do not use third-party advertising. We share data only with providers that enable the service, such as cloud hosting, databases, email delivery, push notifications, error/performance monitoring, subscription processing, and purchase validation through Stripe, the App Store, Google Play, and RevenueCat, under confidentiality obligations, and when required by law.

Survey responses belong to the customer who created the survey and are accessible only to authorized users of that organization.

Response text may be processed by AI providers only to generate summaries and insights for the customer, acting as processors on our behalf.

6. App permissions

The app may request camera access to scan survey QR Codes, photo library access to choose logo/background images or save QR Codes, and notification permission to send operational alerts. Permissions are used only for those purposes and can be revoked in device settings. The current app does not record audio or request microphone access for collection.

7. Retention

We keep data while the account is active and for as long as needed for the described purposes or required by law. Customers may request deletion of responses and the account.

8. Your rights

Under GDPR/LGPD, you may request access, correction, portability, anonymization or deletion of your data, and withdraw consent. To exercise them, contact us via the channel below.

9. Security

We apply technical and organizational measures to protect data, including encryption in transit, role-based access control and secure credential storage.

10. Children

The service is not intended for minors and we do not knowingly collect children’s data.

11. Changes

We may update this Policy. Material changes will be communicated through the service, with the updated date.

Contact

Privacy questions or requests: [email protected].