Privacy Policy

Last updated: 12 June 2026

This privacy policy explains how TestiPull ("we", "us") collects, uses, and protects personal data when you use our service at this website. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) as well as relevant US privacy laws (CCPA, VCDPA, CPA, CTDPA, UCPA).

1. Who we are

The controller responsible for data processing on this site is Christopher Kurr (address and contact details: see Imprint).

2. What data we collect

Account data (when you sign up):

  • Email address
  • Name (optional)
  • Password (hashed, never stored in plain text)

Testimonial data (submitted by your clients via a collect link):

  • Author name
  • Job title and company (optional)
  • Testimonial content and rating
  • Optional video URL

Usage data (automatically collected):

  • Page view counts on your collect and wall pages (aggregated, no IP stored)
  • Anonymous analytics via Vercel Analytics and Speed Insights (cookieless)

3. Legal basis (GDPR Art. 6)

  • Contract (Art. 6 para. 1 lit. b): to provide the service you signed up for
  • Consent (Art. 6 para. 1 lit. a): for testimonial submissions — your clients consent when submitting a testimonial
  • Legitimate interest (Art. 6 para. 1 lit. f): for security, fraud prevention, and basic analytics

4. Third-party processors

We use the following subprocessors to operate our service:

  • Supabase (database and authentication) — privacy policy
  • Vercel (hosting, analytics, speed insights) — privacy policy
  • Polar (payment processing, Merchant of Record) — privacy policy
  • Resend (transactional email: account confirmations, password resets, and optional testimonial-request sending) — privacy policy
  • Cloudflare (DNS management for our domain and forwarding of email sent to our support address) — privacy policy
  • GMX / 1&1 Mail & Media (mailbox provider where support correspondence is received and stored; located in Germany, EU) — privacy policy

If you use TestiPull to collect personal data of your own clients, our Data Processing Agreement governs that processing.

5. Data retention

Account and testimonial data are kept for as long as your account is active. On deletion of your account or a specific testimonial, the data is permanently removed from our systems. Backups are retained for up to 30 days.

6. Your rights

Under GDPR and applicable US state laws, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate or incomplete data
  • Request deletion ("right to be forgotten")
  • Restrict or object to processing
  • Receive your data in a portable format
  • Withdraw consent at any time
  • Lodge a complaint with a supervisory authority (e.g. your local data protection authority)

You can delete your account, including all projects and testimonials, at any time yourself under Dashboard → Settings → Delete Account. To exercise any other rights, contact us at support@testipull.com.

7. Cookies and tracking

Vercel Analytics and Speed Insights are loaded only after you give consent via the cookie banner shown on your first visit. Both operate without cookies and do not track individual users across sites. If you decline, no analytics requests are sent at all.

Essential cookies (for authentication and session management via Supabase) are used only when you sign in and are exempt from consent under § 25 (2) TDDDG / ePrivacy Directive. No third-party advertising or cross-site tracking is performed.

You can change or withdraw your consent at any time via the "Cookie Settings" link in the footer.

8. Data location and international transfers

Our primary database and authentication infrastructure (Supabase) is hosted in the European Union (eu-west-1, Ireland). Your account data and testimonials are stored in the EU and not transferred outside the EU for storage.

Some of our other providers (Vercel hosting, Polar payments, Resend transactional email, Cloudflare DNS and email forwarding) are based in the United States. Transfers to these providers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46 and, where applicable, the EU-US Data Privacy Framework. Support correspondence is stored with GMX in Germany (EU).

9. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top reflects the most recent change. Material changes will be communicated via email or via a notice on this page.

10. Contact

Questions about this privacy policy or our data practices can be directed to support@testipull.com.