Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Feedback Fish is a lightweight in product feedback widget by Feedback Fish GmbH (Germany) that lets users send written feedback, ratings and screenshots directly from a website or web application.
Feedback Fish is a lightweight feedback widget developed by Feedback Fish GmbH, a German startup. It is embedded with a single script tag and adds a small floating button that opens a modal where users can submit feedback, choose an emotion rating and optionally attach screenshots. Feedback Fish is popular with SaaS startups that need to collect user input without the heavy footprint of enterprise customer feedback platforms.
By default Feedback Fish operates with minimal storage, using localStorage to remember whether a user has already submitted feedback and limited request logs server side. The service receives the free text feedback, optional email address, page URL, browser user agent and IP address. Screenshots, when enabled, may contain personal data depending on what the user captures.
The submission of feedback by a user is typically treated as an implicit consent (Art. 6(1)(a) GDPR) or legitimate interest (Art. 6(1)(f) GDPR) for processing free text feedback. If the widget stores non strictly necessary data on the device, Art. 5(3) ePrivacy and section 25 TTDSG require prior consent. When only strictly necessary technical storage is used, consent for storage itself can be avoided.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Feedback Fish hosts customer data in the European Union. Some sub processors (such as Vercel for the frontend or email delivery providers) may be US based and rely on SCCs and the EU US Data Privacy Framework. The exposure remains far smaller than with US first vendors and the operator should verify the current sub processor list.
The risk level is generally low. A formal DPIA is not required for standard product feedback scenarios. Operators should still assess risks when screenshots are enabled, when the widget is used by employees or by minors, or in regulated industries.
Sign a Data Processing Agreement with Feedback Fish GmbH, list the service in your privacy notice and sub processor register, configure the widget to avoid unnecessary fields, disable screenshots if they may capture personal data, set short retention periods and make sure user submitted email addresses are handled as personal data.
Websites using Feedback Fish must obtain user consent under GDPR regulations.
DPIA considerations
A full DPIA under Art. 35 GDPR is not normally required because Feedback Fish processes a limited amount of low risk data (free text feedback, optional email, screenshots if enabled). A simplified risk assessment is still recommended when feedback is collected from authenticated areas, when screenshots may contain personal data, or when widgets are used in sensitive contexts (healthcare, employees, minors).
Sample consent text
We use Feedback Fish (Feedback Fish GmbH, Germany) to collect your feedback. Your feedback, optional email address and any attached screenshot are sent to Feedback Fish servers in the European Union. By submitting the form, you consent to this processing.
Third-party domains contacted
feedback.fishapi.feedback.fishcdn.feedback.fishapp.feedback.fishCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| feedbackfish_last_submit | local_storage | persistent | LocalStorage flag indicating that the user has recently submitted feedback, used to throttle the widget UI. |
| feedbackfish_session | session | session | Optional session identifier used while the modal is open to correlate a feedback submission with the originating page view. |
| feedbackfish_user | local_storage | 6 months | LocalStorage value linking returning anonymous users to their previous feedback (only when a user identifier is passed by the host application). |
| feedbackfish_widget_open | session | session | Session flag indicating whether the feedback modal has been opened during the current page view. |
Feedback Fish uses cookies for user preferences — inform visitors with a consent banner.
Feedback Fish has a minimal footprint. It typically uses localStorage to remember submissions and limited server side logs. It does not set advertising or cross site tracking cookies.
When the widget operates with strictly necessary storage only, prior consent is generally not required under Art. 5(3) ePrivacy. Once email addresses or screenshots are processed, the submission step itself should be treated as an explicit user action and informed.
Article 6(1)(a) GDPR (consent through active submission) or Art. 6(1)(f) GDPR (legitimate interest in improving the product). The legal basis must be clearly explained in the privacy notice.
Feedback Fish stores data in the European Union. Some sub processors may be located in the US under SCCs and the EU US Data Privacy Framework. The exposure is significantly lower than with US headquartered competitors.
A formal DPIA is normally not required because the processing is low risk and limited in scope. A simplified review is recommended when screenshots are enabled, in employee contexts or with minors.
Sign the DPA, list Feedback Fish in your privacy notice and sub processor register, limit collected fields, set short retention, disable screenshots when sensitive data may be captured and inform users of the optional email field.
Alternatives include self hosted feedback forms, Sleekplan, Canny (US), Productboard (US) and Userback. EU based alternatives tend to provide the strongest GDPR posture.
Mention the service, the controller (Feedback Fish GmbH, Germany), the purposes (collecting product feedback), the legal basis, the retention period and the EU US transfers for sub processors if any. Update at least annually.