Is there a free plan?

Yes. The free plan includes 1 board, up to 100 posts, and unlimited users — free forever, no credit card required.

How is pricing calculated?

Flat $20/mo per workspace (or $200/year). No per-user charges, no tracked-user limits. Your price stays the same whether you have 10 or 10,000 users giving feedback.

Can I embed it in my app?

Yes. Drop a single script tag into your site. Supports open mode for quick setup or HMAC-signed authentication to automatically identify your logged-in users.

Do my users need to create accounts?

No. When embedded, users are authenticated through your app automatically — no separate signup. On the public board, they sign in with a magic link. No passwords needed.

Can I customize the workflow?

Yes. Pro workspaces can rename, recolor, and reorder post statuses to match your team's actual workflow — from "New idea" to "Shipped" or anything in between.

Is data isolated between workspaces?

Completely. Each workspace has its own users, posts, and settings. A user in one workspace has no connection to another — by design.

How does Feedbakery differ from Canny?

Feedbakery offers a free plan with unlimited users and a Pro tier at $20/mo — roughly 4× cheaper than Canny's $79/mo starter plan. Unlike Canny, Feedbakery charges a flat workspace fee with no per-tracked-user pricing, includes passwordless magic link login, Telegram notifications, and HMAC-signed embed authentication on the Pro plan.

Can I import data from Nolt or Canny?

Yes. Feedbakery includes an import tool so you can migrate your existing posts and votes from Nolt or Canny without losing your history.

Does Feedbakery include a public roadmap?

Yes. Every workspace includes a public roadmap view that groups posts by status — so users can see what's planned, in progress, and shipped without leaving your product.

Data Processing Agreement

Effective Date: December 13, 2018

Last Updated: February 20, 2026

Website: https://feedbakery.io

This Data Processing Agreement forms part of the Terms and Conditions between Feedbakery and its customers.

1. Introduction

This Data Processing Agreement ("DPA") is entered into between:

Customer ("Controller") — the Tenant who has registered for an account on Feedbakery and uses the Service to collect and manage feedback from their end users; and
Feedbakery (formerly known as TheBeyond.io) ("Processor") — operated from Chisinau, Republic of Moldova.

This DPA supplements the Feedbakery Terms and Conditions and Privacy Policy and reflects the parties' agreement regarding the processing of personal data by the Processor on behalf of the Controller, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

By using the Service, the Controller agrees to be bound by this DPA. Where there is any conflict between this DPA and the Terms and Conditions, this DPA shall prevail with respect to data protection matters.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject") as defined in Article 4(1) GDPR.
Processing: Any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction, as defined in Article 4(2) GDPR.
Data Subject: An identified or identifiable natural person whose Personal Data is processed under this DPA, primarily End Users of the Controller's feedback boards.
Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.
Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Supervisory Authority: An independent public authority responsible for monitoring the application of data protection laws, as defined in Article 4(21) GDPR.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor provides a customer feedback management platform that enables the Controller to collect, organize, and manage feedback from their End Users through feedback boards, voting, and commenting.

3.2 Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Service to the Controller, as described in the Terms and Conditions. This includes operating feedback boards and projects, facilitating End User authentication (magic links, embedded widget authentication), storing and displaying feedback posts, votes, and comments, sending transactional emails on behalf of the Controller, and providing the Controller with access to feedback data and analytics.

3.3 Duration of Processing

Processing shall continue for the duration of the Controller's use of the Service. Upon termination of the Controller's account, the Processor shall handle Personal Data in accordance with Section 11 of this DPA.

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects

End Users of the Controller's feedback boards
Any other individuals whose data the Controller submits to the Service

4.2 Categories of Personal Data

The following categories of Personal Data may be processed:

Identification data: Email addresses, display names
Authentication data: Magic link tokens (temporary), session tokens
Content data: Feedback posts, comments, votes
Technical data: IP addresses, browser user agent, device information
Usage data: Timestamps of access, pages visited, features used

4.3 Sensitive Data

The Processor does not intentionally collect or process special categories of Personal Data (as defined in Article 9 GDPR). The Controller shall not submit special category data to the Service unless the Controller has obtained explicit consent from the Data Subjects and has a lawful basis for processing such data.

5. Obligations of the Processor

The Processor shall:

5.1 Lawful Processing

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.

5.2 Confidentiality

Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR. These measures include, but are not limited to:

Encryption of Personal Data in transit using TLS/SSL
Secure hashing of passwords and authentication tokens (bcrypt)
Access controls and role-based authentication for administrative functions
Rate limiting across all endpoints to prevent abuse
Soft deletion mechanisms to prevent accidental data loss
Regular security reviews and testing
Server infrastructure located in the European Union (Amsterdam, Netherlands)
Logging and monitoring of access to Personal Data

5.4 Sub-processors

Comply with the conditions for engaging Sub-processors as set out in Section 7 of this DPA.

5.5 Data Subject Rights

Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).

If the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise instructed by the Controller.

5.6 Assistance with Compliance

Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.

5.7 Deletion and Return of Data

Upon termination of the Service, delete or return all Personal Data to the Controller as set out in Section 11, and delete existing copies unless applicable law requires storage of the Personal Data.

5.8 Audit and Inspection

Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the conditions in Section 10.

6. Obligations of the Controller

The Controller shall:

Ensure that the processing of Personal Data through the Service has a lawful basis under applicable data protection law.
Provide appropriate privacy notices to Data Subjects (End Users) informing them about the processing of their Personal Data through the Service.
Ensure that any instructions given to the Processor regarding the processing of Personal Data comply with applicable law.
Respond to Data Subject requests regarding their Personal Data.
Conduct data protection impact assessments where required by applicable law.
Not submit special categories of Personal Data to the Service unless appropriate safeguards and legal bases are in place.

7. Sub-processors

7.1 General Authorization

The Controller provides general written authorization for the Processor to engage Sub-processors for the purpose of providing the Service. The current list of Sub-processors is provided in Annex B to this DPA.

7.2 Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes. The Processor shall provide at least 14 days' notice before engaging a new Sub-processor by updating the list at https://feedbakery.io/dpa and notifying the Controller via email.

7.3 Right to Object

If the Controller has a reasonable objection to the engagement of a new Sub-processor, the Controller shall notify the Processor in writing within 14 days of receiving notice. The parties shall discuss the objection in good faith. If the parties cannot reach a resolution, the Controller may terminate the affected Service by providing written notice.

7.4 Sub-processor Agreements

The Processor shall impose on each Sub-processor, by way of a contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

8. International Data Transfers

8.1 Processor Infrastructure

The Processor's primary infrastructure is located in the European Union (Amsterdam, Netherlands). Personal Data is stored and processed within the EU.

8.2 Sub-processor Transfers

Some Sub-processors may process Personal Data outside the European Economic Area. Where such transfers occur, the Processor ensures that appropriate safeguards are in place, including:

Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR)
Adequacy decisions by the European Commission (Article 45 GDPR)
Other appropriate safeguards as permitted under Chapter V of the GDPR

Details of Sub-processor locations and transfer mechanisms are provided in Annex B.

9. Data Breach Notification

9.1 Notification Obligation

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting the Controller's Personal Data.

9.2 Content of Notification

The notification shall include:

A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and Personal Data records concerned
The name and contact details of the Processor's contact point where more information can be obtained
A description of the likely consequences of the Data Breach
A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects

9.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach. The Processor shall also assist the Controller in fulfilling the Controller's obligation to notify the Supervisory Authority (Article 33 GDPR) and, where required, the affected Data Subjects (Article 34 GDPR).

10. Audit Rights

10.1 Information and Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations under this DPA and Article 28 GDPR.

10.2 Audit Conditions

The Controller may conduct audits (or engage a qualified third-party auditor) subject to the following conditions:

The Controller shall provide at least 30 days' written notice of an audit request.
Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
The Controller (or its auditor) shall be bound by confidentiality obligations.
The Controller shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Processor.
Audits shall be limited to once per calendar year, unless a Data Breach or regulatory investigation necessitates an additional audit.

10.3 Third-Party Certifications

The Processor may satisfy audit requests by providing relevant third-party certifications, audit reports (e.g., SOC 2), or other evidence of compliance, where available.

11. Data Deletion and Return

11.1 During the Term

The Controller may delete projects, posts, and End User data through the Service at any time. Deleted data is soft-deleted immediately and permanently removed within 30 days.

11.2 Upon Termination

Upon termination of the Controller's account, the Processor shall:

Retain the Controller's data in a deactivated state for 30 days to allow for data export or account reactivation.
After the 30-day retention period, permanently delete all Personal Data associated with the Controller's account.
Upon request made during the 30-day retention period, provide the Controller with an export of their data in a structured, commonly used, machine-readable format (JSON or CSV).

11.3 Exceptions

The Processor may retain Personal Data beyond the periods stated above only where required by applicable law (e.g., transaction records retained for tax and accounting purposes for up to 7 years). Such retained data shall be limited to what is legally required, isolated from active systems, and protected by appropriate security measures.

12. Liability

The parties' liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions, except that neither party excludes or limits its liability for obligations that cannot be limited under applicable data protection law.

13. Term and Termination

This DPA shall come into effect on the date the Controller begins using the Service and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.

Termination of the Service agreement (whether by the Controller or the Processor) shall automatically trigger the data deletion provisions in Section 11.

The obligations of the Processor regarding confidentiality, data deletion, and cooperation with regard to Data Breaches shall survive termination of this DPA.

14. Amendments

The Processor may update this DPA from time to time to reflect changes in law, regulatory guidance, or the Processor's data processing practices. Material changes will be communicated to the Controller via email at least 30 days before taking effect. Continued use of the Service after the effective date of the updated DPA constitutes acceptance of the changes.

15. Contact

For any questions regarding this DPA or to exercise rights under this agreement:

Email: [email protected]
Website: https://feedbakery.io

Annex A — Details of Processing

Element	Description
Subject matter	Provision of a customer feedback management platform
Duration	For the duration of the Controller's use of the Service
Nature and purpose	Collection, storage, organization, retrieval, and display of End User feedback data to enable the Controller to manage product feedback
Categories of Data Subjects	End Users of the Controller's products who interact with feedback boards
Categories of Personal Data	Email addresses, display names, feedback content (posts, votes, comments), IP addresses, browser user agent, session data, timestamps
Special categories of data	None (not intentionally collected)

Annex B — List of Sub-processors

The following Sub-processors are authorized to process Personal Data on behalf of the Controller:

Sub-processor	Purpose	Data processed	Location	Transfer mechanism
Paddle (Paddle.com Market Limited)	Payment processing and subscription management (Merchant of Record)	Transaction identifiers, subscription status, billing country	United Kingdom / EU	UK adequacy decision
Mailgun (Sinch Email)	Transactional email delivery (magic links, notifications)	Email addresses, email content	EU / US	Standard Contractual Clauses
Bugsnag (SmartBear)	Error tracking and application monitoring	IP addresses, browser user agent, error context (may include anonymized usage data)	US	Standard Contractual Clauses
Hosting provider	Server infrastructure and data storage	All data stored by the Service	EU (Amsterdam, Netherlands)	N/A (within EU)

This list was last updated on February 20, 2026 (originally published December 13, 2018). Changes to this list will be communicated in accordance with Section 7.2 of this DPA.