Privacy Policy

This privacy policy explains how TestiPull ("we", "us") collects, uses, and protects personal data when you use our service at this website. We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) as well as relevant US privacy laws (CCPA, VCDPA, CPA, CTDPA, UCPA).

1. Who we are

The controller responsible for data processing on this site is Christopher Kurr (address and contact details: see Imprint).

2. What data we collect

Account data (when you sign up):

• Email address
• Name (optional)
• Password (hashed, never stored in plain text)

Testimonial data (submitted by your clients via a collect link):

• Author name
• Job title and company (optional)
• Testimonial content and rating
• Optional video URL

Usage data (automatically collected):

• Page view counts on your collect and wall pages (aggregated, no IP stored)
• Anonymous analytics via Vercel Analytics and Speed Insights (cookieless)

3. Legal basis (GDPR Art. 6)

• Contract (Art. 6 para. 1 lit. b): to provide the service you signed up for
• Consent (Art. 6 para. 1 lit. a): for testimonial submissions — your clients consent when submitting a testimonial
• Legitimate interest (Art. 6 para. 1 lit. f): for security, fraud prevention, and basic analytics

4. Third-party processors

We use the following subprocessors to operate our service:

• Supabase (database and authentication) — privacy policy
• Vercel (hosting, analytics, speed insights) — privacy policy
• Polar (payment processing, Merchant of Record) — privacy policy
• Resend (transactional email, optional for Pro users) — privacy policy

5. Data retention

Account and testimonial data are kept for as long as your account is active. On deletion of your account or a specific testimonial, the data is permanently removed from our systems. Backups are retained for up to 30 days.

6. Your rights

Under GDPR and applicable US state laws, you have the right to:

• Access the personal data we hold about you
• Correct inaccurate or incomplete data
• Request deletion ("right to be forgotten")
• Restrict or object to processing
• Receive your data in a portable format
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority (e.g. your local data protection authority)

To exercise any of these rights, contact us at testipull@gmx.net.

7. Cookies and tracking

We use Vercel Analytics and Speed Insights, both of which operate without cookies and do not track individual users across sites. Essential cookies (for authentication and session management via Supabase) are used only when you sign in. No third-party advertising or cross-site tracking is performed.

8. Data location and international transfers

Our primary database and authentication infrastructure (Supabase) is hosted in the European Union (eu-west-1, Ireland). Your account data and testimonials are stored in the EU and not transferred outside the EU for storage.

Some of our other subprocessors (Vercel hosting, Polar payments, Resend transactional email) are based in the United States. Transfers to these providers are covered by Standard Contractual Clauses (SCCs) under GDPR Art. 46 and, where applicable, the EU-US Data Privacy Framework.

9. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top reflects the most recent change. Material changes will be communicated via email or via a notice on this page.

10. Contact

Questions about this privacy policy or our data practices can be directed to testipull@gmx.net.