Privacy policy

Last updated: 2026-05-08

At a glance

  • GDPR compliant
  • Customer data stored in the European Economic Area
  • Anonymous respondents by design
  • Right to access, deletion, and data export supported
  • Data Processing Agreement available — see /legal/dpa
  • Sub-processors listed at /legal/sub-processors

This policy explains how 360review (operated by Dunbar App Inc.) handles personal data.

Who is the data controller?

For data we collect about you directly (account, billing, support correspondence): we are the controller.

For data submitted into the service by a customer organisation (a leader’s team feedback programme): the customer organisation is the controller and we are the processor under GDPR Article 28.

What data we collect

We collect only what’s needed to operate the service:

  • Account information required to set up and bill your account
  • The content you and your team submit through the service (self-assessment ratings, anonymous team responses, generated reports)
  • Support correspondence you initiate
  • Standard operational logs

We do not run third-party analytics or advertising trackers. We never use your data to train AI models.

Where data is stored

All primary customer data is stored and processed within the European Economic Area (EEA). A current sub-processor list is published at /legal/sub-processors.

Your rights

If you are an EEA, UK, or Swiss data subject, you have the right to access, correct, delete, port, restrict, and object to the processing of your personal data. To exercise any of these, contact us. We respond within 30 days.

For data submitted by a customer organisation, please contact that organisation directly.

Retention

We retain personal data for as long as needed to deliver the service, plus any period required by law (e.g., billing records). On request, we delete or return your data within 30 days.

International transfers

Where personal data flows outside the EEA, we rely on the European Commission’s Standard Contractual Clauses. Our transactional email provider (Resend) is US-based and is certified under the EU-US Data Privacy Framework.

Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, access controls on production systems, and breach-notification procedures aligned with GDPR Article 33.

Contact

Dunbar App Inc.
8 The Green Suite 7013, Dover, DE 19901, USA

For data-protection enquiries, please use our contact form and put “GDPR” in the message.

Changes

We may update this policy. Material changes that affect your rights will be communicated by email to active customers at least 14 days before they take effect.