Privacy Policy

Last updated: May 3, 2026

1. Information We Collect

We collect information you provide directly to us, such as when you create an account, use our services, or contact us for support.

Account Information

  • Email address
  • Name and profile information
  • Account credentials
  • Communication preferences
  • Organization name, subscription plan, and billing-related identifiers (Stripe customer ID, subscription status)

Usage Information

  • How you interact with our Service
  • Features you use and actions you take
  • Time, frequency, and duration of your activities

Information About Feedback Viewers

When your organization shares a feedback project (via a link or an embedded widget on your site), participants who respond to that project are referred to as “viewers.” Viewers are not registered Reactions users. We collect, on behalf of your organization, the information viewers voluntarily provide, which may include:

  • Name and email address
  • Emoji reactions, votes, and comments on projects
  • Answers to custom survey questions
  • View timestamps

This data is stored in our database and is accessible to members of the organization that created the feedback project. It may also be included in data exports (see Section 3).

Third-Party OAuth Connections

If you choose to connect a third-party account (such as Figma), we store OAuth access and refresh tokens on your behalf to enable the integration. These tokens are stored securely on our servers and used solely to perform the actions you authorize (e.g., importing Figma prototype screens). You can disconnect any integration at any time from your account settings.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Process transactions and send related information
  • Send technical notices, updates, security alerts, and support messages
  • Respond to your comments, questions, and customer service requests
  • Communicate with you about products, services, and events
  • Monitor and analyze trends, usage, and activities
  • Provide feedback results and analytics to the organization that created the feedback project (this includes viewer-provided data)

3. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties without your consent, except as described in this Privacy Policy.

Service Providers

We share data with the following third-party service providers that help us operate the Service:

  • Supabase — database hosting and authentication. All application data (profiles, organizations, projects, feedback, and OAuth tokens) is stored on Supabase-managed infrastructure.
  • Stripe — payment processing. We share your email address and account identifiers with Stripe to create and manage your subscription. Stripe stores your payment method details directly; we do not store full card numbers.
  • Resend — transactional email delivery. We share email addresses and relevant context (e.g., organization name, invite links) with Resend to send welcome emails, organization invitations, and other transactional messages.
  • Figma — prototype import. If you connect your Figma account, we exchange OAuth tokens with Figma to retrieve prototype screens you authorize us to access.

Embedded Widget

If your organization embeds a Reactions feedback widget on a third-party site, viewer interactions on that site are collected and stored on your behalf. Reactions acts as a data processor for this data; your organization is responsible for informing viewers that their feedback is being collected.

Data Exports

Organization members (Admin, Editor, or Viewer roles) may export project feedback as a spreadsheet file. These exports include viewer names, email addresses, and all feedback content. You are responsible for handling exported data in accordance with applicable privacy laws.

Other Disclosures

  • When required by law or to protect our rights
  • In connection with a business transaction, such as a merger or acquisition
  • With your consent or at your direction

4. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include row-level security policies on our database that restrict data access based on your organization membership, and encrypted connections (HTTPS/TLS) for all data in transit.

No method of electronic storage or transmission is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

5. Data Retention

We retain your personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account or your subscription is cancelled, we retain your data for up to 30 days before permanent deletion to allow for data export and to resolve any outstanding billing disputes.

6. Your Rights and Choices

You have certain rights regarding your personal information:

  • Access and update your account information
  • Request deletion of your personal information
  • Opt out of certain communications
  • Request a copy of your personal information

To exercise any of these rights, contact us at lastpicked@proton.me. We will respond within 30 days. If you are a feedback viewer (not a registered user) and wish to request deletion of data collected about you, please email us with the name of the organization whose project you interacted with so we can locate your records.

California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete your personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your CCPA rights, contact us at the email above.

7. Cookies and Similar Technologies

We use cookies primarily for session management and authentication. These cookies are necessary for the Service to function and allow you to stay logged in across page navigations. We do not use advertising or cross-site tracking cookies. You may configure your browser to refuse cookies, but doing so will prevent you from logging in to the Service.

8. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties.

9. Children's Privacy

Our Service is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us and we will delete it promptly.

10. International Users

The Service is operated from the United States. If you are accessing the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date. For material changes, we will also send a notice to the email address associated with your account.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

lastpicked@proton.me

← Back to Home