Legal

Privacy Policy

Last updated July 3, 2026

Controller and scope

This Privacy Policy explains how TestFirst processes personal data when you visit the website, create an account, submit an idea to validate, upload materials, communicate with us, pay for a test, or when someone signs up to a waitlist we run for a test.

TestFirst is operated by Harro Krog as an Einzelunternehmen in Germany. The complete provider details are listed in the legal notice / Impressum and can be used for privacy requests.

For website visitors, prospects, account users, and billing contacts, TestFirst usually acts as controller. When TestFirst runs a validation campaign and captures waitlist signups for your idea, TestFirst collects that data to deliver the test to you and then hands it over to you; for your later use of that waitlist you act as the controller.

Personal data we collect

From customers we may collect account details, name, email address, company or project name, billing status, the idea you submit, campaign briefs, uploaded files, creative feedback, support messages, technical logs, device and browser metadata, cookie preferences, and payment event references.

When we run a validation test, we produce UGC-style ads, distribute them through advertising platforms, and drive interested people to a waitlist or landing page. From those respondents we may collect email addresses, names where provided, responses or survey answers, and engagement and campaign metadata such as which ad or angle they responded to.

Advertising and analytics platforms we use to distribute a test may collect additional data about ad viewers under their own privacy terms, including impression, click, conversion, and audience data that they report back to us in aggregated or pseudonymous form.

Why we process data

We process personal data to provide TestFirst, create and manage accounts, scope and run validation tests, produce and distribute ads, build waitlist and landing pages, measure results, deliver your verdict and waitlist, communicate with you, process billing, prevent abuse, secure the service, meet legal obligations, and improve the product.

We do not use the contents of your idea, your uploaded materials, or waitlist data to create public case studies, testimonials, or marketing claims unless you have given clear written permission for that specific use.

Legal bases

Where GDPR applies, we process data when it is necessary to perform a contract or take steps before entering into a contract, when we must comply with legal obligations, when processing is necessary for legitimate interests such as security, fraud prevention, support, measuring and improving campaigns, payment handling, and legal defense, or when you or a waitlist respondent have given consent.

Waitlist and landing pages present their own notice and, where required, collect consent from respondents at the point of signup. You can withdraw consent where processing is based on consent; withdrawal does not affect processing that already happened lawfully before withdrawal.

Cookies, local storage, and analytics

The website and dashboard may use necessary cookies or local storage to keep the service working, remember session state, remember cookie preferences, and protect accounts.

Optional analytics and advertising cookies or similar technologies may be used only where allowed by law or consent settings. On waitlist and landing pages we run for a test, advertising platform pixels or conversion tags may be present to measure the campaign; these operate under the relevant platform's terms and any consent collected on the page.

Sharing and processors

We do not sell personal data. We may share data with service providers that host, secure, distribute, analyze, bill, email, monitor, or support TestFirst. These providers may include infrastructure, database, advertising, payment, email, error monitoring, communication, and authentication providers.

Current provider categories may include Vercel or similar hosting providers, Supabase for database and authentication, Stripe for payments, advertising platforms such as Meta, TikTok, or similar networks for ad distribution, Resend or similar email providers, Slack for the shared test channel and operations, and analytics providers where enabled.

We may also disclose data when required by law, to enforce agreements, to protect rights and security, to respond to lawful requests, or as part of a business transfer. We only share the data needed for the relevant purpose.

Waitlist data and handoff

A core deliverable of TestFirst is the waitlist of people who signed up during your test. We collect that data to run and deliver the test and then make it available to you, together with the shared Slack channel where the test ran, as described in your plan.

Once waitlist data is handed to you, you become responsible for it as controller. You must tell those people how you will contact and process their data, honor their rights and any unsubscribe request, and only use the waitlist for the purpose they signed up for. You should not add them to unrelated marketing without a lawful basis.

Where TestFirst processes waitlist or respondent data on your behalf before or during handoff, the parties should use a data processing agreement / Auftragsverarbeitungsvertrag where required by GDPR Article 28.

International transfers

Some providers, including advertising and infrastructure platforms, may process data outside Germany or the European Economic Area. Where required, TestFirst relies on appropriate safeguards such as adequacy decisions, standard contractual clauses, data processing agreements, or other lawful transfer mechanisms.

Retention

We keep personal data only as long as needed for the purpose collected, including running and delivering the test, account management, accounting, tax records, dispute handling, fraud prevention, legal defense, and platform security.

Account, billing, and tax records may be kept for statutory retention periods. Idea submissions, campaign materials, waitlist exports, and support records may be retained while an account is active and afterward where retention is necessary for legal, contractual, audit, or security reasons. After handoff, you keep your own copy of the waitlist and remain responsible for it.

Security

We use reasonable technical and organizational measures to protect personal data, including access controls and limiting use of data to the work you engaged us for. No internet service is perfectly secure, and you should avoid sending unnecessary secrets, passwords, private keys, or sensitive personal data into idea submissions or uploads.

Your rights

Where applicable, you can request access, correction, deletion, restriction, portability, or objection to processing of your personal data. Waitlist respondents can exercise the same rights against the current controller of that data. You may also have the right to complain to a data protection authority.

Some requests may be limited where we must keep data for legal obligations, accounting, security, dispute handling, or legal defense.

Contact

For privacy questions or requests, contact TestFirst at krogharro@gmail.com or by using the contact details listed in the Impressum.