Privacy Policy
Last updated: March 30, 2026
Success
Last updated: March 30, 2026
Welcome to VoteFirst ("we", "us", "our"). VoteFirst is a software-as-a-service (SaaS) platform that helps product teams collect, organize, and prioritize feature requests through voting boards, public roadmaps, and activity tracking. We are operated from the Czech Republic.
This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you visit our website at https://votefirst.app, use our application, or interact with us in any other way. It applies to all users of our Service, including account holders, their end users who submit votes and feedback, and visitors to our marketing website.
We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, and other applicable data protection laws. By using our Service, you acknowledge that you have read and understood this Privacy Policy.
If you have any questions about this Privacy Policy or our data practices, you can contact us at support@votefirst.app.
We collect information that you provide directly to us, information generated through your use of the Service, and limited technical information collected automatically. We only collect information that is necessary to provide and improve our Service.
When you create a VoteFirst account, we collect:
When you use VoteFirst to manage feature requests, we store the content you and your users create, including:
We automatically collect certain information about how you interact with our Service, including:
This usage data is collected through our analytics provider, PostHog, and is only gathered after you have given your consent via our cookie banner. See Section 4 for more details.
We do not collect sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, or biometric data. We do not collect financial information directly - all payment processing is handled by third-party payment processors.
We use the information we collect for the following purposes, each based on a specific legal basis under the GDPR:
We use your account information and project data to operate the VoteFirst platform, including authenticating your identity, displaying your voting boards and roadmaps, processing votes and comments, and delivering the features you expect from the Service. The legal basis for this processing is the performance of our contract with you (Article 6(1)(b) GDPR).
We use anonymized and aggregated usage data to understand how our Service is used, identify areas for improvement, diagnose technical issues, and develop new features. The legal basis for this processing is our legitimate interest in improving our product (Article 6(1)(f) GDPR).
We use your email address to send you important service-related communications, including account verification, security alerts, billing notifications, and changes to our terms or policies. We may also send product updates and announcements if you have opted in to receive them. The legal basis for service communications is the performance of our contract with you (Article 6(1)(b) GDPR), and for marketing communications, your consent (Article 6(1)(a) GDPR).
We use technical information, including IP addresses and session data, to protect the Service against unauthorized access, fraud, abuse, and other security threats. The legal basis for this processing is our legitimate interest in maintaining the security of our Service (Article 6(1)(f) GDPR).
We may process your information to comply with applicable laws, regulations, legal processes, or enforceable governmental requests. The legal basis for this processing is compliance with a legal obligation (Article 6(1)(c) GDPR).
We use PostHog as our analytics platform to understand how visitors and users interact with our website and application. PostHog helps us measure feature adoption, identify usability issues, and make data-driven decisions about product development.
Our PostHog instance is hosted on PostHog's European Union servers at eu.i.posthog.com. This means all analytics data collected from your interactions with VoteFirst is processed and stored within the EU, in compliance with GDPR requirements. No analytics data is transferred outside of the European Economic Area.
When you consent to analytics, PostHog collects the following types of data:
PostHog analytics cookies are only set after you have given your explicit consent via our cookie consent banner. If you decline analytics cookies, no PostHog cookies will be placed on your device, no analytics data will be collected from your session, and the Service will function normally without any restrictions. You can change your preference at any time by clearing your browser's localStorage and revisiting the site.
PostHog is committed to privacy and GDPR compliance. For more information about how PostHog handles data, please refer to PostHog's Privacy Policy.
We use Sender.net as our email marketing and communication platform for managing our waitlist and sending product updates to users who have opted in.
When you sign up for our waitlist or subscribe to product updates, we share only your email address with Sender.net. We do not share your name, usage data, project data, or any other personal information with Sender.net.
Sender.net processes your email address solely for the purpose of delivering emails on our behalf. Sender.net may collect technical data related to email delivery, such as whether an email was opened or a link was clicked, to provide us with campaign performance metrics. For more information, please refer to Sender.net's Privacy Policy.
Every email we send through Sender.net includes a clear unsubscribe link. You can opt out of marketing communications at any time by clicking the unsubscribe link in any email or by contacting us at support@votefirst.app. Unsubscribing from marketing emails will not affect service-related communications that are necessary for the operation of your account.
We use a minimal number of cookies and browser storage mechanisms to operate our Service. We do not use cookies for advertising, cross-site tracking, or profiling. Below is a complete and exhaustive list of all cookies and storage technologies used by VoteFirst.
ph_phc_* for session identification and distinct user tracking. These cookies are first-party cookies set on the votefirst.app domainWe share your personal data only with the third parties listed below, and only to the extent necessary to operate and improve the Service. We do not sell, rent, or trade your personal information to anyone. We have no advertising partners and do not share your data for advertising purposes.
We may disclose your personal information if required to do so by law, or in the good-faith belief that such action is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud or abuse of the Service, or protect the personal safety of users or the public.
If VoteFirst is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. In such an event, we will notify you before your data is transferred and becomes subject to a different privacy policy. We will ensure that the acquiring entity agrees to protect your personal data in a manner consistent with this Privacy Policy.
Beyond what is described above, we do not share your personal information with any other third parties. We do not participate in data broker networks, advertising exchanges, or any form of data marketplace.
We retain your personal data only for as long as is necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
Your account information (email address, name, and account settings) is retained for as long as your account remains active. If you request deletion of your account, we will delete or anonymize your personal data within 30 days of receiving your request. Certain data may be retained longer if necessary to comply with legal obligations, resolve disputes, or enforce our agreements.
Feature requests, votes, comments, and other project-related content are retained for as long as your account is active and the associated project exists. When you delete a project or your account, the associated project data is deleted within 30 days.
Analytics data collected through PostHog is anonymized after 12 months. Anonymized data, which cannot be linked back to any individual, may be retained indefinitely for aggregate statistical analysis and product improvement purposes.
If you unsubscribe from our mailing list, your email address will be removed from our active sending lists within 7 days. We may retain a record of your unsubscribe preference to ensure we do not contact you again.
Server access logs containing IP addresses and request information are automatically purged after 90 days.
We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it against unauthorized access, alteration, disclosure, or destruction.
All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS). We enforce HTTPS across our entire platform, ensuring that your data cannot be intercepted or tampered with during transmission.
All personal data stored in our database is encrypted at rest. Our PostgreSQL database uses disk-level encryption to protect stored data from unauthorized physical access.
We perform regular automated backups of our database to ensure data availability and enable recovery in the event of hardware failure or other incidents. Backups are encrypted and stored securely within the EU.
Access to personal data is restricted to authorized personnel who require it to operate, develop, or improve the Service. We follow the principle of least privilege, granting access only to the minimum data necessary for each role. Administrative access to production systems is protected by strong authentication.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by the GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
If you are located in the European Economic Area (EEA), the United Kingdom, or any other jurisdiction that provides similar rights, you have the following rights regarding your personal data under the GDPR:
You have the right to request a copy of the personal data we hold about you. We will provide this information in a commonly used, machine-readable format within 30 days of your request.
You have the right to request correction of any inaccurate personal data we hold about you, or to have incomplete data completed. You can update most of your account information directly through your account settings.
You have the right to request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw your consent, when you object to processing and there are no overriding legitimate grounds, or when the data has been unlawfully processed. We will complete erasure requests within 30 days.
You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (such as JSON or CSV), and to transmit that data to another service provider without hindrance.
You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of our legitimate grounds.
You have the right to object to the processing of your personal data based on our legitimate interests. Upon receiving your objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
Where we process your data based on your consent (such as analytics cookies or marketing emails), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent for analytics by clearing your browser's localStorage and declining cookies on your next visit. You can withdraw consent for marketing emails by clicking the unsubscribe link in any email.
You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data violates the GDPR. In the Czech Republic, the supervisory authority is the Office for Personal Data Protection (UOOU) at www.uoou.cz.
To exercise any of the rights described above, please contact us at support@votefirst.app. We will respond to your request within 30 days. We may ask you to verify your identity before processing your request to ensure the security of your data. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.
VoteFirst is committed to keeping your data within the European Union.
We do not transfer your personal data outside the European Economic Area (EEA). In the unlikely event that a transfer outside the EEA becomes necessary in the future (for example, due to a change in service providers), we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, and we will update this Privacy Policy accordingly.
VoteFirst is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us at support@votefirst.app. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information from our servers within 30 days.
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make changes to this Privacy Policy, we will:
Your continued use of the Service after the updated Privacy Policy takes effect constitutes your acceptance of the changes. If you do not agree with the revised Privacy Policy, you should stop using the Service and may request deletion of your account and personal data.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We aim to respond to all inquiries within 30 days. For data protection related requests, please include "Privacy" or "GDPR" in the subject line of your email to help us route your request to the appropriate team member.
Success
Error
Warning
Info