RINSlab

Data Processing Terms

Effective date: 3 July 2026

These Data Processing Terms form part of the RINSlab Terms of Service. They apply whenever you use the service to process personal data as a controller under EU/UK GDPR — typically as a workspace owner collecting poll responses and managing members. In these terms, “we” and “us” refer to Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701, acting as your processor.

1. Subject matter and roles

You are the controller of the Covered Data; we are your processor. We process Covered Data only to provide the service described in the Terms, for as long as your workspace exists.

Covered Data means:

  • Data subjects: your poll respondents; people you invite to your workspaces; anyone identifiable from content you enter.
  • Data categories: poll responses (the two Kano ratings, an optional importance rating, the related feature, and a timestamp — the poll form asks for no direct identifiers); invitee email addresses; and any personal data you choose to include in feature names, descriptions, notes, or workspace branding.
  • Nature and purpose of processing: hosting, storage, transmission, display, and aggregation into insights, as needed to operate the service.
  • Duration: until the relevant content or workspace is deleted, as set out in the Terms and the Privacy Policy.

2. Instructions

We process Covered Data only on your documented instructions. These Data Processing Terms, the Terms of Service, the Privacy Policy, and your use of the product's controls (creating features, sharing poll links, inviting members, editing and deleting content) together constitute your complete documented instructions. If we believe an instruction infringes data-protection law, we'll tell you.

3. Confidentiality

We ensure that anyone we authorise to process Covered Data is bound by an appropriate duty of confidentiality.

4. Security

We implement appropriate technical and organisational measures under Article 32 GDPR, including encryption in transit, encryption at rest at the database layer, and role-based access controls, as described in the Privacy Policy.

5. Subprocessors

You give general written authorisation for the subprocessors listed in section 5 of the Privacy Policy. We'll notify you — by email or via the service — at least 30 days before adding or replacing a subprocessor. If you reasonably object on data-protection grounds and we can't offer a workaround, you may delete the affected workspace and, if you've prepaid, receive a pro-rata refund for the unused period. We impose data-protection obligations on our subprocessors consistent with these terms and remain responsible for our subprocessors' compliance with the obligations applicable to them under these Data Processing Terms.

6. Data subject requests

Poll responses are collected without direct identifiers. As a result, we are generally unable to identify an individual respondent or associate a stored response with a particular person. Taking into account the nature of the processing, we assist you through the measures built into the product: CSV export, content editing, and feature or workspace deletion. If a data subject contacts us directly about your workspace, we'll forward the request to you without undue delay and won't respond on your behalf beyond directing them to you.

7. Assistance

Taking into account the nature of the processing and the information available to us, we'll reasonably assist you in meeting your obligations under Articles 32–36 GDPR (security, breach notification, and data-protection impact assessments) and related provisions of the GDPR where applicable.

8. Personal data breaches

If we become aware of a personal data breach affecting Covered Data, we'll notify you without undue delay and provide the information reasonably needed for your own notification obligations, as it becomes available.

9. International transfers

Covered Data may be processed by subprocessors outside the EEA/UK as described in the Privacy Policy. Such transfers are safeguarded by the European Commission's Standard Contractual Clauses (and UK equivalents) concluded with those providers. You authorise these transfers.

10. Deletion and return

You can export your insights as CSV at any time and delete content or entire workspaces directly in the product; deletion removes the underlying Covered Data. When your workspace or account is closed, we delete Covered Data within 30 days, unless the law requires longer retention. Residual copies in encrypted backups are overwritten in the ordinary backup cycle.

11. Audits and information

On request, we'll make available the information reasonably necessary to demonstrate compliance with Article 28 GDPR — these terms, our subprocessor list, and summaries of our providers' security documentation. Given the scale of the service, audit rights are satisfied by written responses to reasonable requests, no more than once per year, unless a supervisory authority requires otherwise. We will promptly inform you if we determine that we can no longer meet our obligations under these Data Processing Terms.

12. Liability, precedence, term

Liability under these Data Processing Terms is subject to the limitations in the Terms of Service. Where these terms conflict with the Terms or the Privacy Policy on data-protection matters, these terms prevail. They apply for as long as we process Covered Data.

See also our Terms of Service and Privacy Policy.