Privacy policy

How Feed Panda collects, uses, stores, and protects personal data.

Last updated: May 1, 2026

Who we are

Feed Panda is a product feed management platform operated by Flex Development, a Dutch sole proprietorship (eenmanszaak) trading as Feed Panda.

  • Registered at the Dutch Chamber of Commerce (KvK) under number 70780676.
  • VAT number: NL002421755B81.
  • Registered address: Westerscheld 245, 2721 NM Zoetermeer, Netherlands.
  • Privacy contact: privacy@feed-panda.com.

Flex Development has not designated a formal Data Protection Officer under Article 37 GDPR because our core activities do not require one. Privacy questions are handled by the person behind the email address above.

Our role: controller and processor

The GDPR distinguishes between a controller (who decides why and how data is processed) and a processor (who processes data on the controller's instructions). Flex Development acts in both roles, depending on the data category:

  • We are the controller for account data, billing data, usage data, support communications, and marketing communications. This policy governs that processing.
  • We are a processor for the product data you move through the platform and for the integration credentials you provide us. You (our customer) are the controller of that data. This processing is governed by our Data Processing Agreement, which applies in addition to this policy and our Terms of Service.

What we collect

We only collect what we need to run the service you signed up for.

  • Account data: name, email address, password hash, workspace name. Required to create and secure your account.
  • Billing data: company name, billing address, VAT number, and tokenized payment identifiers held by our payment processor. Required to bill you and meet tax obligations.
  • Integration credentials: OAuth tokens, API keys, SSH keys, and SFTP passwords you provide to connect your sources and destinations. All credentials are encrypted at rest with AES-256.
  • Product data: the rows your feeds move through the platform. We process this on your instruction only and do not use it for any other purpose. If your feeds contain personal data about your own customers or end users, you are the controller of that data and we are the processor.
  • Usage data: logs of feature use, timing, errors, and device and browser metadata needed to secure and improve the service.
  • Support communications: messages you send us and our replies.

Providing account and billing data is a contractual requirement. If you do not provide it, we cannot provide the service. All other data is collected automatically as part of using the platform.

Why we process it

  • To provide the service you signed up for.
  • To run, secure, and improve the platform, including preventing abuse and fraud.
  • To bill you, manage your subscription, and handle tax obligations.
  • To respond to your support requests.
  • To comply with legal obligations we are subject to, including Dutch tax and accounting law.
  • With your consent, to send you product updates and marketing emails you asked for.

Sharing and subprocessors

We share personal data only with vetted subprocessors who help us run the service. Each subprocessor is bound by a written data processing agreement and is restricted to the purposes listed below.

Subprocessor Purpose Processing location
Hetzner Online GmbH Application and database hosting Germany / Finland (EU)
Amazon Web Services EMEA SARL (Amazon SES) Transactional email delivery Frankfurt, Germany (EU). US parent company.
Stripe Payments Europe, Ltd. Subscription billing and payment processing Processing in the United States (Stripe, LLC) under Standard Contractual Clauses. EU contracting entity incorporated in Ireland.
Functional Software, Inc. (Sentry) Error monitoring and diagnostics EU data region. US parent company.
Simple Analytics B.V. (KvK 88269922) Privacy-friendly, cookie-less website analytics Amsterdam, Netherlands (EU)

We will notify customers at least 30 days before engaging a new subprocessor or replacing an existing one, giving you the opportunity to object on reasonable data protection grounds before the change takes effect.

Google user data

Feed Panda integrates with Google Drive so you can read product feed files from your Drive and write generated feed files back to it. This section explains, in addition to the rest of this policy, how we handle data we receive from Google APIs.

OAuth scopes we request

When you connect a Google Drive account to Feed Panda, we request the following OAuth scope:

  • https://www.googleapis.com/auth/drive. This grants read and write access to your Google Drive. We use this scope so that the same connection can serve as both a source (downloading CSV or XML feed files you select) and a destination (uploading the generated feed files Feed Panda produces, into the folder you choose, and updating or replacing those files on subsequent runs).

What we access and why

  • File and folder listings, to let you browse your Drive in our file picker and select the file or folder you want Feed Panda to read from or write to.
  • File contents of the files you select as a source, streamed into our pipeline at sync time, processed against the rules you configured, and then discarded. We do not retain the raw source file beyond the sync window needed to process it.
  • File metadata for files we write: names, IDs, modified timestamps, and parent folder IDs of files Feed Panda creates or updates as a destination, so we can reuse the same file on subsequent runs instead of creating duplicates.

We do not read, index, or scan files in your Drive other than the ones you explicitly select in our interface or the ones Feed Panda has itself created as a destination.

How we store Google user data

  • OAuth tokens (access tokens and refresh tokens issued by Google): stored securely in our database hosted in the EU, encrypted at rest using AES. Tokens are decrypted in memory only at the moment they are needed to call the Drive API.
  • Source file contents: streamed and processed in memory or in temporary storage, then deleted at the end of the sync run. We do not keep a permanent copy of your raw Drive files.
  • Destination file metadata (file IDs, folder IDs, names) we create as part of delivering your feeds: retained for as long as the connection exists, so we can keep updating the same target file.

How we share Google user data

We do not sell, rent, or trade Google user data, and we do not transfer it to third parties for advertising or any unrelated purpose. The only places Google user data flows are:

  • To our infrastructure subprocessors listed under "Sharing and subprocessors" (Hetzner for hosting, Sentry for error diagnostics) strictly to operate the service.
  • To the destinations you configure in Feed Panda (for example, an SFTP server or another cloud storage account), but only for files you have explicitly told us to deliver there.

Limited Use disclosure

Feed Panda's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not use Google user data to serve advertising, we do not sell Google user data, we do not transfer Google user data for any purpose unrelated to providing or improving the features of Feed Panda that are visible to users, and we do not allow humans to read Google user data unless we have your explicit consent for specific files, it is necessary for security purposes (such as investigating abuse), it is necessary to comply with applicable law, or the data has been aggregated and anonymized for internal operations and only in compliance with applicable privacy laws.

Disconnecting and deletion

You can disconnect your Google Drive account from Feed Panda at any time from Connections in the app. Disconnecting:

  • Stops all further calls to the Google Drive API on your behalf.
  • Deletes the encrypted OAuth tokens we hold for that connection from our database.
  • Deletes the destination file metadata associated with the connection.

You can additionally revoke Feed Panda's access from your Google Account at myaccount.google.com/permissions. Doing so invalidates our refresh token immediately. If you would like us to delete the metadata associated with a disconnected Google Drive integration outside the app, email privacy@feed-panda.com.

International transfers

Customer data is primarily stored and processed in the European Union. The subprocessor that processes personal data outside the EU is Stripe: under Stripe's Data Processing Agreement, billing data is transferred to Stripe, LLC in the United States for payment processing and fraud prevention, and may be processed globally by Stripe's affiliates.

For this transfer we rely on the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional measures where appropriate (including encryption in transit and the data minimisation practices described under "What we collect"). We have carried out a transfer impact assessment and keep it under review.

Our cloud and error-monitoring subprocessors (Amazon Web Services and Sentry) process personal data in EU regions, but have parent companies established in the United States. We apply the same SCC-based safeguards to any residual parent-level access.

Retention

We keep personal data only as long as we need it to run the service or meet legal obligations.

  • Account data: retained while you are a customer and deleted shortly after you close your account, except for the billing records listed below.
  • Billing data and invoices: retained for 7 years after the end of the financial year in which the invoice was issued, as required by Article 52 of the Dutch Algemene Wet inzake Rijksbelastingen.
  • Product data and integration credentials: retained until you delete them, or until your account is closed, whichever comes first. If you need a copy of your data before your account is closed, contact us at privacy@feed-panda.com and we will provide it as a CSV or JSON export.
  • Support communications: retained for up to 3 years, to allow us to handle follow-up questions and comply with the general limitation period under Dutch civil law.
  • Security and application logs: retained for up to 90 days for debugging and security monitoring.

Security

We apply technical and organizational measures designed to protect personal data, including:

  • AES-256 encryption at rest for the integration credentials you provide us (OAuth tokens, API keys, SSH keys, passwords).
  • TLS 1.2 or higher in transit for every connection.
  • Least-privilege access controls and role-based permissions.
  • Regular backups.

Personal data breaches

If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify the Autoriteit Persoonsgegevens within 72 hours of becoming aware, as required by Article 33 GDPR. Where the breach is likely to result in a high risk to you, we will notify you directly without undue delay in line with Article 34 GDPR, and describe the nature of the breach, likely consequences, and the measures we have taken.

Automated decision-making

We do not carry out automated decision-making, including profiling, that produces legal effects or similarly significantly affects you within the meaning of Article 22 GDPR.

Children

Feed Panda is a business-to-business service and is not directed at persons under the age of 16. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it.

No sale of personal data

We do not sell, rent, trade, or licence personal data to third parties, and we do not share it for cross-context behavioural advertising or for any marketing purpose other than the ones you have explicitly consented to. The only parties we share personal data with are the subprocessors listed above, each of them acting on our behalf and bound by a data processing agreement.

Your rights

Under the GDPR you can exercise the following rights in relation to your personal data:

  • Access to the data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure, subject to the retention obligations above.
  • Restriction of, or objection to, specific processing activities.
  • Portability of the data you have provided to us, in a structured, commonly used, machine-readable format (typically CSV or JSON export).
  • Withdrawal of consent for processing based on consent, at any time.
  • Lodging a complaint with the Dutch supervisory authority, Autoriteit Persoonsgegevens, or with the supervisory authority in your country of residence.

Requests can be sent to privacy@feed-panda.com. We respond within one month of receiving a complete request. For complex or numerous requests we may extend this period by up to two additional months as permitted under Article 12(3) GDPR, and we will tell you within the first month if we do. To protect your data from unauthorised requests we may ask for reasonable information to verify your identity before we act on a request. If a request is manifestly unfounded or excessive we may charge a reasonable fee or refuse to act on it, as permitted under Article 12(5) GDPR.

Cookies

This marketing website does not set any cookies. When you sign in to the product at app.feed-panda.com, we use a small number of strictly necessary cookies to keep you signed in, maintain session state, and keep the service secure. Strictly necessary cookies do not require consent under Article 11.7a of the Dutch Telecommunicatiewet.

For website analytics we use Simple Analytics, operated by Simple Analytics B.V. in Amsterdam, the Netherlands (KvK 88269922). Simple Analytics does not use cookies, does not track visitors across sites, and does not collect personal data such as IP addresses or device fingerprints. Because it meets the conditions for privacy-friendly analytics set out by the Autoriteit Persoonsgegevens, we are permitted to use it without asking for prior consent, and no cookie banner is required for analytics.

We do not load any advertising, retargeting, or third-party tracking technology. If we later introduce any cookie or tracking technology that does require consent, we will ask for it through a consent management tool before it is loaded, and we will publish a dedicated cookie policy listing each cookie, its purpose, duration, and recipient.

Other tracking technologies

We do not use pixels, web beacons, clear gifs, device fingerprinting, session replay, or cross-site tracking technologies on this website or in our emails.

Some browsers send a "Do Not Track" (DNT) signal. Because our analytics are cookie-less and we do not build behavioural profiles of visitors, there is effectively nothing for us to stop doing in response to a DNT signal. We still respect the spirit of the signal: we do not track you whether you send one or not.

Business transactions

If Flex Development is involved in a merger, acquisition, reorganisation, sale of assets, or insolvency, personal data may be transferred to the acquiring party or successor entity as part of that transaction. If such a transfer materially changes how your personal data is processed, we will notify you in advance and, where required, give you an opportunity to object or withdraw consent.

Privacy contact

Questions, requests, or complaints related to this policy can be sent to privacy@feed-panda.com or by post to Flex Development, Westerscheld 245, 2721 NM Zoetermeer, Netherlands.

Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of the page and, for material changes, notify customers by email at least 14 days before the change takes effect.