TinyPoll
Data Processing Agreement
Last updated: April 21, 2026
📋 About This Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between TinyPoll and our customers for the provision of the TinyPoll polling service. It addresses the requirements of data protection laws including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Australian Privacy Act 1988.
By using TinyPoll, you agree to this DPA in addition to our Terms of Service and Privacy Policy.
1. Definitions
- "Customer" means the Slack workspace administrator or organisation that has installed TinyPoll.
- "TinyPoll" means TinyPoll (ABN 33 214 294 124), the provider of the Service.
- "Personal Data" means any information relating to an identified or identifiable person, as processed through the Service.
- "Processing" means any operation performed on Personal Data.
- "Subprocessor" means a third party engaged by TinyPoll to process Personal Data on behalf of the Customer.
2. Roles and Responsibilities
For the purposes of data protection law:
- Customer is the Controller — you determine why and how Personal Data from your Slack workspace is processed through TinyPoll.
- TinyPoll is the Processor — we process Personal Data only as necessary to provide the polling service, and only on your instructions (as set out in the Terms of Service).
For TinyPoll's own purposes (billing, account management, website analytics), TinyPoll acts as an independent Controller as described in our Privacy Policy.
3. Scope of Processing
| Data Category | Examples | Purpose |
|---|---|---|
| Workspace identifiers | Slack Team ID | Multi-workspace support, billing |
| User identifiers | Slack User IDs | Vote tracking, poll ownership |
| Channel identifiers | Slack Channel IDs | Display polls in correct channel |
| Poll content | Questions, answer options | Providing the polling service |
| Voting data | Vote records | Recording and displaying results |
| Authentication tokens | Slack bot tokens (encrypted) | Interacting with your Slack workspace |
4. TinyPoll's Obligations
TinyPoll shall:
- Process Personal Data only for the purpose of providing the Service, and only in accordance with the Customer's documented instructions (i.e., the Terms of Service).
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data at rest and in transit
- AWS infrastructure with enterprise-grade security controls
- Cryptographic verification of all Slack API requests
- Least-privilege access controls and IAM policies
- Automated data deletion per retention schedules
- Not engage a Subprocessor without providing the Customer with prior notice (see Section 5).
- Assist the Customer, where reasonably possible, in responding to data subject rights requests.
- Delete or return Personal Data upon termination of the Service, subject to legal retention requirements.
- Make available to the Customer information necessary to demonstrate compliance with this DPA.
5. Subprocessors
TinyPoll uses the following subprocessors to deliver the Service:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, data storage, compute | Sydney, Australia (ap-southeast-2) |
| Slack Technologies (Salesforce) | Slack platform integration | United States |
| Stripe, Inc. | Payment processing (paid plans only) | United States |
| Google LLC | Website analytics (website only, not Slack app) | United States |
| Zoho Corporation | Customer support chat (website only) | United States / India |
We will notify customers of any new subprocessors by updating this page. If you object to a new subprocessor, you may terminate the Service.
6. International Data Transfers
TinyPoll's primary data processing occurs in Australia (AWS ap-southeast-2). Some subprocessors are located in the United States. For transfers of Personal Data from the EEA, UK, or Switzerland:
- We rely on the subprocessors' own transfer mechanisms (e.g., EU-US Data Privacy Framework, Standard Contractual Clauses) as applicable.
- AWS, Stripe, and Google each maintain their own data transfer frameworks compliant with GDPR requirements.
7. Data Retention and Deletion
Personal Data processed through the Service is automatically deleted based on the Customer's plan:
- Free plan: Poll data deleted after 7 days
- Pro plan: Poll data deleted after 30 days
Active service data (including polls, votes, and settings) is retained and deleted in accordance with the Customer's applicable plan-based retention period described above. Certain data may be retained where required by law (e.g., billing records for tax compliance) or for legitimate security purposes.
8. Data Breach Notification
In the event of a Personal Data breach, TinyPoll will:
- Notify the Customer without undue delay (and in any event within 72 hours of becoming aware of the breach).
- Provide sufficient detail to allow the Customer to meet its own breach notification obligations.
- Take reasonable steps to mitigate the effects of the breach.
9. Term and Termination
This DPA remains in effect for as long as TinyPoll processes Personal Data on behalf of the Customer. Upon termination of the Service, TinyPoll will delete Personal Data in accordance with Section 7.
10. Governing Law
This DPA is governed by the laws of Australia, consistent with the governing law of the Terms of Service.
Need a Signed Copy?
If your organisation requires a countersigned DPA, please contact us:
Email: legal@tinypoll.io
We'll provide a signed copy within 5 business days.