This privacy policy explains how poll2go processes personal data from creators (registered account holders) and voters (anonymous participants). It satisfies the information requirements of Article 13 of the General Data Protection Regulation (GDPR).
The data controller within the meaning of Article 4(7) GDPR is:
poll2go processes the following categories of personal data, each with its corresponding purpose and legal basis under GDPR:
| Data Category | Purpose | Legal Basis |
|---|---|---|
| Creator email | Account creation and magic-link authentication | Art. 6(1)(b) — Performance of contract |
| Creator session JWT | Authenticated session management | Art. 6(1)(b) — Performance of contract |
| Poll content | Creating and displaying polls | Art. 6(1)(b) — Performance of contract |
| Voter IP address (raw) | Fraud prevention — duplicate vote detection | Art. 6(1)(a) — Consent |
| Voter browser fingerprint (raw) | Fraud prevention — duplicate vote detection | Art. 6(1)(a) — Consent |
| Voter dedup cookie | Fraud prevention — duplicate vote detection | Art. 6(1)(a) — Consent |
| Voter IP / fingerprint / cookie hashes | Long-term fraud signal retention (no raw PII) | Art. 6(1)(f) — Legitimate interest |
| Consent record | Proof that consent was given before data processing | Art. 6(1)(a) — Consent |
| Audit log | Fraud investigation and dispute resolution | Art. 6(1)(f) — Legitimate interest |
| Error events (PII-stripped) | Application error tracking and debugging | Art. 6(1)(f) — Legitimate interest |
poll2go uses the following third-party service providers (sub-processors) to operate the service. Each has a Data Processing Agreement (DPA) in place:
| Sub-Processor | Purpose | DPA |
|---|---|---|
| Vercel | Application hosting, edge CDN, serverless compute | vercel.com/legal/dpa |
| MongoDB Atlas | Primary database (user accounts, polls, votes, audit logs) | cloud.mongodb.com → Organization Settings → Legal → DPA |
| Resend | Transactional email (magic-link authentication, poll-close notifications) | resend.com/legal/dpa |
| Cloudflare (Turnstile) | CAPTCHA verification for vote submissions | cloudflare.com/legal/dpa |
| Upstash | Rate limiting and results caching (HTTP-based Redis) | upstash.com/trust/dpa.pdf |
| Sentry | Error tracking and application monitoring (PII stripped) | sentry.io/legal/dpa |
Some sub-processors listed above are established outside the EU/EEA (notably Vercel, MongoDB Atlas, and Sentry, which operate infrastructure in the United States). Where personal data is transferred to a country outside the EU/EEA that does not benefit from an adequacy decision, the transfer is protected by Standard Contractual Clauses (SCCs) incorporated into each sub-processor's Data Processing Agreement. You may request copies of these safeguards by contacting us at privacy@poll2go.com.
Personal data is retained only as long as necessary for its stated purpose. The following table summarises retention periods:
| Data Category | Retention Period | Mechanism |
|---|---|---|
| Raw voter PII (IP, fingerprint, cookie in vote_fraud_signals) | 90 days after poll close/expiry | MongoDB TTL index on delete_at |
| Consent records | 90 days after poll close/expiry | MongoDB TTL index on delete_at |
| Auth.js verification tokens | 15 minutes | MongoDB TTL index (configured by MongoDBAdapter) |
| Vote records (hashed fields only — no raw PII) | Indefinite | Hashed data is not personal data under GDPR |
| Audit log | 12 months | MongoDB TTL index on created_at |
| Creator account data | Until account deletion by user | Soft-delete on user request; email pseudonymised |
| Error events (Sentry) | 90 days | Sentry default retention policy |
Under the GDPR, you have the following rights regarding your personal data:
To exercise any of these rights, contact us at privacy@poll2go.com. We will respond within 30 days.
Voters do not have accounts on poll2go. Raw personal data collected during voting (IP address, browser fingerprint, and dedup cookie) is automatically deleted 90 days after the associated poll closes or expires, via a MongoDB TTL (time-to-live) index. After this period, only irreversible cryptographic hashes remain, which do not constitute personal data under GDPR.
During the 90-day retention window, voters may request access to or earlier erasure of their data by emailing privacy@poll2go.com with one of the following identifiers:
Before casting a vote, you are shown a consent notice that explicitly describes the data that will be collected (IP address, browser fingerprint, and a dedup cookie) and the purpose of that collection (fraud prevention).
You may withhold consent. If you decline the consent notice, you will not be able to vote, but you can still view the poll question and its options. No personal data beyond what is strictly necessary for serving the web page (standard HTTP request data processed by the hosting provider) will be collected if you decline.
poll2go uses the following cookies:
| Cookie Name | Purpose | Lifetime | Category |
|---|---|---|---|
| authjs.session-token / __Secure-authjs.session-token | Authenticated creator session (JWT) | Session (expires on browser close) or as configured by Auth.js | Strictly necessary |
| p2g_theme | Stores the user's colour theme and dark/light mode preference | 1 year | Strictly necessary (accessibility/preference) |
| p2g_dedup (set after consent only) | Prevents duplicate votes on the same poll | Until poll closes or expires (max 90 days) | Consent-based (fraud prevention) |
The current consent notice version is v3, last updated on 2026-05-24. When the consent text changes, the version identifier is incremented and voters who previously consented under an older version will be asked to re-consent before voting again.
poll2go is not directed at children. Under Austrian data protection law (DSG §4(4)), minors under the age of 14 may not provide personal data to information society services without the authorisation of a parent or legal guardian.
If we become aware that we have collected personal data from a child under the age of 14 without appropriate parental or guardian authorisation, we will take steps to erase that data as promptly as possible. If you believe a child under 14 has provided us with personal data, please contact us at privacy@poll2go.com.
Personal data may be disclosed to law enforcement authorities or other government bodies when we are legally compelled to do so — for example, pursuant to a court order under Austrian criminal procedure law (Strafprozessordnung, StPO) or an equivalent foreign legal process.
poll2go does not perform proactive monitoring of user activity and does not engage in voluntary reporting of user data to any authority.
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority:
In addition to GDPR, residents of certain jurisdictions may have additional rights under local privacy legislation:
To exercise any of these rights, please email privacy@poll2go.com.
All data subject access requests (DSARs), erasure requests, and other privacy-related inquiries should be directed to:
We will acknowledge your request within 5 business days and provide a substantive response within 30 days, as required by Article 12(3) GDPR.
This privacy policy was last updated on 2026-05-24.