Privacy policy

Feedbase is open-source, self-hosted feedback management software. Because you run it on your own infrastructure, you are the data controller — we have no access to anything stored on your instance.

This policy describes what data Feedbase processes locally, what limited data we collect through the waitlist, and how it is handled.

All data on your Feedbase instance — user accounts, feedback posts, votes, comments, and attachments — lives in your own database on your own servers.

Feedbase processes the following data locally on your instance:

• Account information — name, email address, and hashed password provided during registration.
• Feedback content — posts, comments, votes, and reactions submitted by your users.
• Usage data — timestamps, IP addresses for rate limiting, and session tokens.
• Integration config — if you configure Discord, Slack, GitHub, or email integrations, tokens and settings are stored in your database.

If you join the Feedbase waitlist, your email address is collected and processed by Resend (resend.com), our transactional email provider. This is the only data we collect outside of your self-hosted instance.

• Data collected: your email address only — no name, IP address, or additional fields.
• Purpose: to send a confirmation email and notify you when Feedbase is available.
• Storage: your email is stored in a Resend Audience (contact list) on Resend's infrastructure.
• Resend is GDPR-compliant and SOC 2 Type II certified.
• Your email is never sold, rented, or shared with any other third party.
• You may be contacted by Feedbase only in relation to product updates and availability.

Feedbase may make outbound requests to the GitHub public API to check for software updates. These requests include only your current version number — no personally identifiable information is sent.

Feedbase supports optional integrations with Discord, Slack, GitHub, and email providers. When configured, data may flow to those services under their own privacy policies.

Feedbase uses session cookies strictly to keep users authenticated. These are necessary for the application to function and are not used for tracking or advertising.

As the instance operator, you have full control over all user data — you can view, export, or delete it directly from your database at any time.

If you are a user of someone else's Feedbase instance, please contact that operator regarding your data rights.

• Right to access — you may request a copy of the data we hold about you (waitlist email).
• Right to erasure — you may request deletion of your email from our waitlist at any time.
• Right to withdraw consent — EU users may withdraw consent for email processing at any time with no consequence.
• Right to lodge a complaint — EU users may contact their local supervisory authority.

Instance data is retained for as long as your instance is running and you choose to keep it. There are no external retention schedules imposed by Feedbase.

Waitlist emails stored in Resend are retained until you request deletion or until Feedbase launches and the waitlist is closed, at which point all contacts will be deleted.

Resend may process and store your email address on servers located in the United States. If you are based in the EU or UK, this constitutes an international data transfer.

We take reasonable technical measures to protect the software from known vulnerabilities. Security releases are published on the GitHub repository.

We may update this policy from time to time. Changes will be reflected in the Feedbase repository and noted in the changelog.

For questions about this privacy policy, email hello@breaddevv.cc, open an issue on the Feedbase GitHub repository, or reach out on Discord.