Privacy Policy

rapid user feedback GmbH – Website, Platform & Services
Last updated: February 2025

1. Data Controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG) is:

2. Overview

This privacy policy explains how we process personal data when you:

• visit our website (Section A),
• use our services as a client (Section B),
• participate in studies or register for our panel as a participant (Section C),
• attend our events (Section D).

3. Section A – Website Visitors

3.1 Hosting

Our website is hosted by Vercel Inc. (USA). When you access the website, technical data (IP address, browser type, operating system, access time) is automatically transmitted to Vercel's servers. Processing is based on our legitimate interest in providing the website (Art. 6(1)(f) GDPR). Vercel is certified under the EU-US Data Privacy Framework.

3.2 Vercel Analytics

We use Vercel Analytics (Vercel Inc., USA) to collect anonymized usage statistics. Vercel Analytics operates without cookies and does not collect personal data. Data is transmitted as first-party data via our own domain. Processing is based on our legitimate interest in improving our website (Art. 6(1)(f) GDPR). Vercel is certified under the EU-US Data Privacy Framework.

3.3 Web Analytics (PostHog)

We use PostHog (PostHog Inc.) for website analytics. Data is processed on servers within the European Union (PostHog Cloud EU). PostHog collects pseudonymized usage data such as page views, click behavior, and device information. Processing is based on your consent (Art. 6(1)(a) GDPR), which you can provide via our cookie banner.

3.4 Contact Form and Email

When you use our contact form or send us an email, we process your information (name, email address, message) to handle your inquiry. Emails are sent via Resend Inc. (USA), which is certified under the EU-US Data Privacy Framework. The legal basis is the performance of pre-contractual measures and our legitimate interest in responding to inquiries (Art. 6(1)(b) and (f) GDPR).

3.5 Appointment Booking

You can book appointments via our website through Google Calendar (Google Ireland Ltd.). Your name, email address, and chosen time slot are transmitted to Google. The legal basis is the performance of pre-contractual measures (Art. 6(1)(b) GDPR). Google is certified under the EU-US Data Privacy Framework.

3.6 AI Chat

Our website features an AI-powered chat operated via the Anthropic API (Anthropic PBC, USA). When you use the chat, your inputs are transmitted to Anthropic to generate a response. We store chat logs to improve our services. The legal basis is your consent (Art. 6(1)(a) GDPR) and our legitimate interest in providing customer service (Art. 6(1)(f) GDPR). Anthropic is certified under the EU-US Data Privacy Framework.

3.7 Newsletter

You can subscribe to our newsletter via our website or platform. We process your email address and, if provided, your name on the basis of your consent (Art. 6(1)(a) GDPR). The newsletter is sent via Resend Inc. (USA). You may revoke your consent at any time by using the unsubscribe link in the newsletter or by contacting us.

3.8 Cookies

Our website uses only technically necessary cookies required for the operation of the website. These cookies are set on the basis of our legitimate interest (Art. 6(1)(f) GDPR). For PostHog Analytics, your consent is obtained via our cookie banner.

3.9 Third-Party Links

Our website contains links to third parties (e.g., LinkedIn). When you click these links, you are redirected to the respective platform. We have no control over data processing by these third parties. Please refer to their respective privacy policies.

4. Section B – Clients

4.1 Contract Performance

We process personal data of our clients (company names, contact persons, email addresses, phone numbers, billing addresses) for the initiation, performance, and execution of contracts. The legal basis is contract performance (Art. 6(1)(b) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR).

4.2 Communication

Client communication is conducted via Google Workspace (Google Ireland Ltd., servers in the EU, Google certified under the EU-US Data Privacy Framework). Emails and documents are processed and stored in Google Workspace.

4.3 Accounting and Tax Advisory

Invoicing data and accounting-relevant information are shared with our external tax advisory firm, PREGETTER Steuerberatung GmbH (Königstetter Straße 128-134, 3430 Tulln, Austria). This includes invoices, company names, and contact persons. The legal basis is compliance with legal obligations (Art. 6(1)(c) GDPR) and our legitimate interest in proper bookkeeping (Art. 6(1)(f) GDPR).

4.4 Platform Use by Clients

Clients may independently create and conduct studies via our platform. When a client independently launches a study via the platform, the client is the data controller under the GDPR for that study. Rapid user feedback acts as a data processor in such cases. The specifics of data processing are governed by the Client Terms of Service and the Data Processing Agreement (DPA).

5. Section C – Study Participants

5.1 Registration and Account

Participation in studies requires registration on our platform. During registration, we collect the following mandatory information (the “Golden Six”): name, email address, date of birth, gender, place of residence, and language. This data is processed on the basis of contract performance (Art. 6(1)(b) GDPR). The minimum age for registration is 16 years.

5.2 Profiling Data

In addition to the mandatory information, participants may voluntarily complete additional profile fields (e.g., occupation, interests, technical equipment, household information). These are optional and serve to match you with suitable studies. The legal basis is your consent (Art. 6(1)(a) GDPR). You may modify or delete this information in your profile at any time.

5.3 Conducting Studies

a) Remote Studies

Remote studies are currently conducted via Google Meet (Google Ireland Ltd.). Video and audio recordings as well as screen recordings may be made. Before each study, you will be informed about the specific methods and recording types used and asked for your explicit consent.

b) Lab Studies

Lab studies take place at the rapid user feedback lab in Das Packhaus (Marxerstraße 24/2/EG, 1030 Vienna). The following recordings may be made:

• Video recordings
• Audio recordings
• Screen recordings
• Photographs

Before each study, you will be informed about the specific methods used and asked for your explicit consent via the platform. The legal basis for recordings is your consent (Art. 6(1)(a) GDPR). You may revoke your consent at any time with effect for the future.

c) Observers

Clients of rapid user feedback may observe studies live. You will be informed before the study whether observers will be present. The legal basis is your explicit consent as part of the study consent process.

5.4 Compensation (Incentives)

Participants may receive compensation for study participation. For payment purposes, we store your name and IBAN. This data is processed on the basis of contract performance (Art. 6(1)(b) GDPR) and compliance with legal retention obligations (Art. 6(1)(c) GDPR). Name and IBAN associated with payments cannot be deleted even after account deletion due to legal retention obligations under the Austrian Federal Fiscal Code (Bundesabgabenordnung, BAO) and are retained for a minimum of 7 years.

Incentive data (participant names and payment information) is also shared with our tax advisory firm, PREGETTER Steuerberatung GmbH, for accounting purposes.

As part of incentive payouts, Busch Labs compares the account holder name with the registered participant name. This serves fraud prevention and plausibility verification. The legal basis is our legitimate interest pursuant to Art. 6(1)(f) GDPR. The comparison is limited to the name match; no access to other account data occurs.

5.5 Account Deletion

Upon deletion of your account, all personal data will be deleted, except for the payment data mentioned in Section 5.4 (name and IBAN), which is subject to legal retention obligations. Study results are retained exclusively in anonymized, aggregated form. Once aggregated, this data can no longer be attributed to individual persons or subsequently deleted.

For fraud prevention purposes, we store a non-reversible cryptographic hash of your email address after account deletion. This hash value is used solely to prevent abusive re-registrations aimed at obtaining sign-up incentives multiple times. It is technically impossible to derive your email address from this hash. The legal basis is our legitimate interest in fraud prevention (Art. 6(1)(f) GDPR).

5.6 Third-Party Study Routing

Busch Labs may transmit pseudonymized profile data (age, gender, country, postal code, education, employment status, interests) to partner market research platforms in order to qualify participants for additional studies. No transmission of real names or email addresses occurs.

Legal basis: consent pursuant to Art. 6(1)(a) GDPR. Consent is provided during registration or in the profile settings and may be revoked there at any time.

A current list of our partner platforms can be found in Section 5.8 of this privacy policy.

When participating in external studies, the respective privacy policies of the study provider apply.

5.7 AI-Moderated Interviews

Certain studies may be moderated by AI systems. In such cases, an AI-powered system conducts the interview instead of a human moderator.

Participants are informed before the start of such a study that the interview will be conducted using AI.

Responses are processed for analysis and made available to the respective client in anonymized or pseudonymized form.

Legal basis: consent pursuant to Art. 6(1)(a) GDPR (provided through participation in the respective study after being informed).

5.8 Partner Platforms

The following list contains our current partner market research platforms to which pseudonymized profile data may be transmitted pursuant to Section 5.6:

Currently in preparation. This list will be updated when partnerships are established.

6. Section D – Event Participants

6.1 Events by rapid user feedback

We organize public meetups, internal trainings, and workshops. Photographs and video recordings are taken at these events and may be published on our website, on LinkedIn, and in our newsletter. The legal basis is our legitimate interest in public relations (Art. 6(1)(f) GDPR). You have the right to object to publication at any time. Please contact us using the contact details provided in Section 1.

6.2 Notice Regarding Recordings at Das Packhaus

Our lab is located at Das Packhaus (Marxerstraße 24/2/EG, 1030 Vienna). In the public areas of Das Packhaus, the association Paradocks – Verein für horizontale Stadtplanung und integrierte Projektentwicklung in der Zwischennutzung (Marxerstraße 24/2/EG, 1030 Vienna) – independently creates photo and video recordings. Paradocks is an independent data controller for this purpose. For questions regarding these recordings, please contact Paradocks directly.

7. Sub-Processors and Recipients

We engage the following service providers as sub-processors or share data with the following recipients:

8. International Data Transfers

Some of our service providers are located in the USA. Data transfers to the USA are based on the European Commission's adequacy decision regarding the EU-US Data Privacy Framework (DPF). All US-based service providers to which we transfer data are certified under the DPF. Where data is processed within the EU (PostHog EU, Supabase EU Frankfurt), no international data transfer occurs.

9. Data Retention Periods

We retain your personal data only for as long as necessary for the respective purposes or as required by statutory retention obligations:

• Panel profile data: As long as your account is active, plus 12 months after deactivation.
• Study data (recordings, non-aggregated results): 2 years after project completion, unless otherwise agreed with the client.
• Payment data (name, IBAN): Minimum 7 years pursuant to the Austrian Federal Fiscal Code (BAO).
• Invoicing data (clients): Minimum 7 years pursuant to BAO.
• Website usage data (PostHog): Maximum 24 months.
• Contact inquiries: 1 year after completion of the inquiry, unless a contract is formed.
• Newsletter data: Until revocation of your consent.
• Event photos: Indefinitely, unless you object.
• Chat messages: Chat messages are stored for a maximum of 30 days and then automatically deleted.
• Rate limiting data: Automatically deleted after 24 hours.
• Fraud prevention (email hash): Indefinite (non-personal data, as cryptographically non-reversible).

10. Your Rights

Under the GDPR, you have the following rights:

• Access (Art. 15 GDPR): You may request information about the personal data we process about you.
• Rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
• Erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
• Restriction (Art. 18 GDPR): You may request restriction of processing.
• Data portability (Art. 20 GDPR): You may request your data in a structured, machine-readable format.
• Objection (Art. 21 GDPR): You may object to processing based on Art. 6(1)(f) GDPR at any time.
• Withdrawal (Art. 7(3) GDPR): You may withdraw your consent at any time with effect for the future.

To exercise your rights, please contact: marc.busch@busch-labs.at

11. Right to Lodge a Complaint

You have the right to lodge a complaint with the competent supervisory authority:

12. Cookie Policy

Detailed information about the cookies used on our website can be found in our cookie banner. You can adjust your settings at any time. Technically necessary cookies cannot be disabled as they are required for the operation of the website.

13. Changes to This Privacy Policy

We reserve the right to update this privacy policy as needed to reflect changes in legal requirements or changes to our services or data processing activities. The current version is always available on our website.