Effective Date: March 29, 2026 Last Updated: March 29, 2026
This Privacy Policy explains how Tabular Pro ("we", "us", or "Company") collects, uses, shares, and protects personal data when you use our platform, website, APIs, and related services (the "Services"). It applies to all users, including account holders ("Creators"), team members, and survey respondents ("Respondents").
By using the Services, you acknowledge that you have read and understood this Privacy Policy.
1. Roles and Responsibilities
1.1 Creators (Data Controllers)
If you create surveys, forms, or data collection instruments, you are the data controller for all personal data collected from your Respondents. You are responsible for:
- Providing privacy notices to your Respondents before collecting their data.
- Ensuring you have a lawful basis for collecting and processing Respondent data.
- Responding to data subject requests from your Respondents (access, deletion, correction, portability).
- Complying with all applicable data protection laws (GDPR, CCPA/CPRA, LGPD, etc.).
1.2 Tabular Pro (Data Processor)
Tabular Pro acts as a data processor on behalf of Creators with respect to Respondent data. We process this data solely to provide the Services and as instructed by the Creator.
1.3 Tabular Pro (Data Controller)
Tabular Pro is the data controller for: account registration data, billing information, usage analytics, website visitor data, and communications with our support team.
2. Personal Data We Collect
2.1 Data You Provide Directly
| Data Type | Examples | Purpose |
|---|---|---|
| Account information | Name, email, password, organization name | Account creation and authentication |
| Organization details | Subdomain slug, logo, branding preferences | Service configuration |
| Billing information | Payment card details (processed by Stripe) | Subscription management |
| Survey content | Questions, answer options, logic rules | Service delivery |
| Support communications | Emails, contact form messages | Customer support |
2.2 Data Collected from Respondents (on behalf of Creators)
Respondent data varies based on the Creator's survey design and may include names, emails, demographic information, opinions, and any other data the Creator chooses to collect. Creators control what data is collected from Respondents, not Tabular Pro.
2.3 Data Collected Automatically
| Data Type | Method | Purpose |
|---|---|---|
| Usage data | Server logs | Service improvement, debugging |
| Device information | HTTP headers | Compatibility, security |
| IP address | Server logs | Security, fraud prevention |
| Cookies | Browser cookies | Authentication, preferences |
3. How We Use Personal Data
We use personal data for the following purposes:
- Service delivery: Operating the platform, provisioning tenant databases, routing requests, and processing survey responses.
- Authentication and security: Verifying identity, preventing unauthorized access, and detecting fraud.
- Billing: Processing payments, managing subscriptions, and issuing invoices.
- Communications: Sending transactional emails (confirmations, password resets, service notices) and, with your consent, product updates.
- Improvement: Analyzing aggregated, anonymized usage patterns to improve the platform. We do not analyze individual survey responses for this purpose.
- Legal compliance: Responding to legal obligations, enforcing our Terms, and protecting our rights.
4. How We Store and Protect Data
4.1 Data Architecture
Tabular Pro uses a multi-tenant isolated architecture:
- System database: Contains organizational metadata only (organization name, slug, subscription status, database references, and user authentication data). Hosted on our infrastructure.
- Tenant databases: Each organization's survey data, responses, dashboards, and reports are stored in a dedicated, isolated database instance hosted by Neon, Inc., our Database Provider. No other customer can access your data.
4.2 What We Do NOT Store
Our application servers do not persistently store or process:
- Survey response data
- Respondent personal information
- Survey analytics or report content
- File uploads or media associated with surveys
This data resides exclusively in your isolated tenant database hosted by our Database Provider.
4.3 Database Provider (Neon, Inc.)
Our Database Provider maintains the following certifications and security measures:
- SOC 2 Type II certified (annual independent audits)
- ISO/IEC 27001:2022 certified
- ISO/IEC 27701:2019 certified (privacy information management)
- HIPAA compliant
- GDPR compliant
- Encryption at rest: AES-256 with key rotation
- Encryption in transit: TLS 1.2+ enforced
- Backups: Automated point-in-time recovery across availability zones
- Infrastructure: AWS with multi-region capabilities
4.4 Payment Processing
Payment information is processed directly by Stripe, Inc., a PCI DSS Level 1 certified payment processor. Tabular Pro does not store, process, or have access to your full payment card details.
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
5.1 Subprocessors
We use third-party service providers to help deliver the Services. Each subprocessor is bound by contractual obligations to protect your data.
| Subprocessor | Purpose | Data Processed |
|---|---|---|
| Neon, Inc. | Database hosting (isolated tenant instances) | Survey data, responses, all tenant content |
| Stripe, Inc. | Payment processing | Billing and payment information |
| AWS (Amazon Web Services) | Application hosting, file storage | Organizational metadata, uploaded files |
| SMTP Provider | Transactional email delivery | Email addresses, message content |
5.2 Legal Requirements
We may disclose data if required by law, court order, or governmental request. Where permitted, we will notify you before disclosure.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such transfer and any changes to this Privacy Policy.
5.4 With Your Consent
We may share data with additional third parties only with your explicit consent.
6. Data Retention
6.1 Account Data
We retain your account data for as long as your account is active. After account closure or termination, we delete your tenant database and all associated Content within 30 days.
6.2 Respondent Data
Respondent data is retained in the Creator's tenant database for as long as the Creator's account remains active, unless the Creator deletes it sooner. Creators are responsible for establishing and communicating their own data retention policies to Respondents.
6.3 System Logs
Server logs containing IP addresses and usage data are retained for a maximum of 90 days and then automatically purged.
6.4 Billing Records
Billing and transaction records are retained for the period required by applicable tax and accounting laws (typically 7 years).
6.5 Inactive Accounts
Accounts inactive for 12 consecutive months may be scheduled for closure after a 30-day warning period. Upon closure, all associated data is deleted.
7. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
7.1 For Creators and Account Holders
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Correction | Request correction of inaccurate or incomplete data. |
| Deletion | Request deletion of your account and associated data. |
| Portability | Request your data in a structured, machine-readable format. |
| Restriction | Request that we restrict processing of your data in certain circumstances. |
| Objection | Object to processing based on legitimate interests. |
| Withdraw consent | Withdraw consent for optional processing (e.g., marketing communications) at any time. |
To exercise these rights, contact us at [email protected]. We will respond within 30 days.
7.2 For Respondents
If you submitted a response to a survey created on Tabular Pro, please contact the Creator (the organization that sent you the survey) directly to exercise your data rights. The Creator is the data controller for your response data. If you are unable to identify or reach the Creator, contact us and we will make reasonable efforts to assist.
8. International Data Transfers
Your data may be processed in countries other than your own. When transferring data internationally, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- EU-U.S. Data Privacy Framework (DPF) where applicable.
- Adequacy decisions recognized by relevant data protection authorities.
Our Database Provider (Neon, Inc.) processes data in AWS regions. You may request information about the specific region where your data is hosted by contacting support.
9. Cookies
9.1 Essential Cookies
We use essential cookies for authentication (session tokens) and security (CSRF protection). These cannot be disabled as they are necessary for the Services to function.
9.2 Preference Cookies
We use cookies to remember your settings, such as dark/light mode preferences and language selection.
9.3 Analytics
We may use anonymized, aggregated analytics to understand how the Services are used. We do not use third-party advertising cookies or tracking pixels.
9.4 Managing Cookies
You can manage cookies through your browser settings. Disabling essential cookies may prevent you from using the Services.
10. Children's Privacy
The Services are not directed at individuals under 16 years of age. We do not knowingly collect personal data from children under 16. If you become aware that a child has provided personal data to us, please contact us immediately and we will delete it.
Creators who use the Services to collect data from individuals under 16 are solely responsible for obtaining verifiable parental consent as required by applicable law (e.g., COPPA, GDPR Article 8).
11. AI Features and Data Processing
11.1 AI-Powered Features
The Services may include AI-powered features for survey design assistance, data analysis, and report generation.
11.2 No Model Training
Your Content, including survey data and Respondent responses, is never used to train AI models -- neither our own nor any third-party models. AI features process your data on-demand solely to generate outputs within the platform.
11.3 AI Subprocessors
When AI features are used, data may be sent to AI service providers for real-time processing only. These providers are contractually prohibited from retaining or using your data for any purpose other than generating the requested output.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act:
- Right to know what personal information we collect, use, and disclose.
- Right to delete your personal information.
- Right to opt-out of the sale of personal information. We do not sell personal information.
- Right to non-discrimination for exercising your privacy rights.
To exercise your California privacy rights, contact us at [email protected].
13. European Economic Area and UK (GDPR)
If you are in the EEA or UK, we process your personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Service delivery | Performance of contract |
| Billing | Performance of contract |
| Security and fraud prevention | Legitimate interest |
| Legal compliance | Legal obligation |
| Product improvement (aggregated data) | Legitimate interest |
| Marketing communications | Consent |
You may lodge a complaint with your local supervisory authority if you believe your data has been processed in violation of the GDPR.
For GDPR-related inquiries, contact our Data Protection contact at [email protected].
14. Security Incident Response
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify affected account administrators without undue delay (and within 72 hours where required by GDPR).
- Provide details about the nature of the breach, the data affected, and the remedial measures taken.
- Cooperate with relevant supervisory authorities as required.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to account administrators at least 30 days before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision.
16. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
- Email: [email protected]
- General inquiries: tabularpro.com/contact