Data protection, by design
VoC reads your customer feedback in your browser — the comments never touch our servers — so the most sensitive data in a Voice-of-the-Customer report stays with you.
This page is written for the person who has to sign off on a new tool: a Data Protection Officer, a security lead, or a careful product owner. It explains how VoC is built, what we do and don't process, and the controls that back that up. For the plain-language version of who we are and your rights, see our Privacy Policy. If you need a signed Data Processing Agreement, jump to DPA & how to reach us.
VoC is operated by [LEGAL ENTITY NAME], [registered address], EU. Replace this placeholder with the registered controller entity before publishing. This page was last reviewed on [DATE].
The one idea that drives everything
A Voice-of-the-Customer report is built from the most sensitive thing a retailer holds: what customers actually wrote. Names, frustrations, the occasional order number typed into a comment box. So we made a deliberate architectural choice:
- Your feedback files are parsed in your browser. You drop in your Trustpilot, Bazaarvoice, NPS, Google or app-store exports, and the parsing, scoring and charting all happen on your machine. The raw comments are never uploaded to a VoC server and never stored by us.
- We only hold account and billing data. Server-side, we keep what's needed to run an account — your email, a hashed password, your brand-kit settings, and billing metadata from Stripe. That's it.
- No central database of your customers. Because comments stay in the browser, VoC never builds a searchable store of individual customers. There is nothing on our side to breach, subpoena, or accidentally over-share.
This is data minimisation taken literally: the data we don't hold can't be lost.
Where data actually lives
| Data | Where it's processed | Stored by VoC? |
|---|---|---|
| Customer feedback comments & raw export files | In your browser only | No — never uploaded, never stored |
| Derived aggregates (counts, scores, theme tallies, charts) | In your browser; saved to your device if you choose | No — no central copy |
| Account data (email, hashed password, brand-kit settings) | VoC application (Cloudflare D1, EU edge) | Yes — minimal, for login & theming |
| Billing metadata (plan, seats, invoice references) | Stripe; references in VoC | Yes — to run the subscription |
| Optional AI narrative input | De-identified text + aggregates, sent only on an explicit click | No — not retained by VoC; see below |
The optional AI summary is the one moment anything leaves your browser, and it only happens when you press the insight button. Before that, VoC scrubs the comment text in the browser — emails, links, IBANs and long digit runs (phone, order, customer numbers) are replaced with placeholders — and sends only those de-identified snippets plus aggregate statistics. Raw files are never part of that call.
DPIA summary
We maintain a full Data Protection Impact Assessment (Article 35 GDPR) for the feedback-analysis processing, including the optional AI step. The table below is the working summary; we can share the complete DPIA, and a companion Legitimate Interest Assessment, under DPA.
| Processing purpose | Data categories | Lawful basis (controller) | Key risks | Mitigations |
|---|---|---|---|---|
| Turn existing customer feedback into an internal Voice-of-the-Customer report and board-ready deck | Customer opinions / free text; ratings & scores; limited metadata (market, channel, product, language, date); incidental identifiers a customer typed into a comment | Legitimate interest (Art. 6(1)(f)) — acting on feedback customers chose to give. You are the controller; VoC is your processor for account/AI-proxy functions. | Residual PII (a name written in prose) reaching the AI processor | In-browser PII scrubbing before any transfer; aggregates carry no raw text; outputs treated as internal-confidential |
| Optional AI-written narrative of the findings | De-identified comment snippets + aggregate statistics only | Same legitimate-interest basis; narrative is editable and constrained to the computed figures | Cross-border (US) transfer of text | EU Standard Contractual Clauses + sub-processor DPA; no model training on the data; short retention; payload already de-identified |
| Running the account (login, theming, subscription) | Email, hashed password, brand-kit settings, billing metadata | Contract (Art. 6(1)(b)) — providing the service you signed up for | Unauthorised account access; AI key/cost abuse | PBKDF2 password hashing; httpOnly SameSite session cookies (only sha256(token) stored); AI key held server-side only; per-seat metering & budget caps |
Our assessment: with these controls in place, residual risk is low, and no processing is likely to result in a high risk that would require prior consultation with a supervisory authority. The principal residual item — a name or address written in natural prose, which no pattern can reliably detect — is accepted and mitigated by de-identification and keeping outputs internal.
Security measures
Concrete, not aspirational. These are in place today.
- Passwords are never stored in the clear. We hash them with PBKDF2 (salted, many iterations). VoC cannot read your password, and neither can anyone who somehow reaches the database.
- Sessions store only a fingerprint. Your session cookie is
httpOnlyandSameSite, so client-side scripts can't read it. Server-side we keep onlysha256(token)— never the token itself — so a database copy can't be replayed as a login. - Encryption in transit. All traffic to VoC runs over HTTPS/TLS via the Cloudflare edge.
- Least data, by design. Feedback content never reaches us; we hold the minimum account data to operate, and nothing we don't need.
- AI key isolation. The key for the AI narrative lives as a server-side secret in our proxy and is never exposed to the browser. Usage is metered per seat with a monthly budget cap.
- Saved reports are inert. A report you export is a snapshot for your own storage; opening it off our domain doesn't grant access to anything on our side.
Sub-processors
We keep the list short on purpose — fewer parties, less surface area. These are the only sub-processors involved in running VoC:
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Cloudflare, Inc. | Hosting (Pages), application logic (Functions), account database (D1 SQLite), TLS edge, AI proxy | EU edge; global network | Cloudflare DPA incorporating EU SCCs |
| Stripe | Subscription billing & payment processing | EU/US | Stripe DPA incorporating EU SCCs; VoC stores only billing metadata, not card data |
| Anthropic, PBC | Optional AI narrative generation (de-identified input only) | United States | Commercial DPA + EU SCCs; no training on API data; short retention |
We don't use third-party model routers, ad networks, or analytics that profile your end customers. If we ever add or change a sub-processor, we'll update this page; under a signed DPA, we notify you in advance so you can object.
Data residency
VoC runs on Cloudflare's EU edge, and your account database (D1) is provisioned in the EU. The only routine cross-border transfer is the optional AI step, where de-identified text is sent to the AI processor in the US under EU Standard Contractual Clauses and a Data Processing Agreement, with no training on the data and short retention. If your policy requires EU-only inference, an EU-resident AI route is available on request — talk to us before you turn the AI feature on.
DPA & how to reach us
We offer a Data Processing Agreement for customers who need one — it sets out VoC's role as your processor, the sub-processor terms above, EU SCCs for the US transfer, and our security commitments. We can also share the full DPIA and the Legitimate Interest Assessment on request.
- Request a DPA or the DPIA: privacy@[YOUR-DOMAIN]
- General sales & commercial questions: sales@[YOUR-DOMAIN]
- Product support: support@[YOUR-DOMAIN]
Prefer a form? Reach our team via the contact page. For your rights as a data subject and our full disclosures, see the Privacy Policy.
Implementer note: confirm the registered legal entity, address and DPO contact, set a real review date, and replace the [YOUR-DOMAIN] email placeholders before this page goes live. The lawful-basis column describes the customer (controller) basis; have Legal confirm it maps to each customer's own privacy notice.