Privacy Policy

Last updated: 5 April 2026 · Effective: 5 April 2026

RetainLab ("we", "us", "our") operates retainlab.io, a B2B SaaS platform for customer retention analytics. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under the General Data Protection Regulation (GDPR) and applicable Dutch and EU law.

Data controller (your account data): RetainLab, retainlab.io · privacy@retainlab.io

Data processor (your customers' data): When you connect your Stripe account, RetainLab processes your subscribers' data on your behalf. In that context you are the Data Controller; we are the Data Processor. See Section 5.

1. Data we collect

2. Legal basis for processing (GDPR Art. 6)

• Contract (Art. 6(1)(b)): Processing your account data and Stripe customer data to deliver the service you subscribed to.
• Legitimate interest (Art. 6(1)(f)): Service improvement, security monitoring, fraud prevention, and abuse detection.
• Legal obligation (Art. 6(1)(c)): Retaining billing records as required by Dutch tax law (Belastingdienst, 7 years).
• Consent (Art. 6(1)(a)): Marketing emails, if you opt in. You may withdraw consent at any time.

3. Sub-processors (third-party processors we use)

We engage the following sub-processors to deliver the Service. All are bound by GDPR-equivalent data protection obligations.

We will notify you of any changes to sub-processors that materially affect the processing of your data. We add or replace sub-processors only after implementing equivalent contractual protections.

4. Data retention

• Account data: Retained while your account is active. Deleted within 30 days of a verified account deletion request.
• Billing records: Retained for 7 years per Dutch tax law (Belastingdienst Art. 52 AWR).
• Your customer data (Stripe sync): Deleted within 30 days of account deletion or Stripe disconnect.
• API credentials: Deleted within 24 hours of Stripe disconnection or account deletion.
• Server logs: Retained for 30 days for security monitoring, then automatically purged.

5. Our role as data processor (your customers' data)

When RetainLab accesses your Stripe account data, we act exclusively as a Data Processor under GDPR Art. 28. This means:

• We process your subscribers' personal data (names, email addresses, subscription status) only on your documented instructions and only to provide the Service.
• We do not sell, share, or use your customers' data for any purpose other than delivering the Service to you.
• We maintain records of processing activities under GDPR Art. 30.
• We will notify you within 72 hours of becoming aware of a personal data breach that affects your customers' data.
• We will assist you in responding to data subject access, erasure, and portability requests concerning your customers.
• Upon termination, we will delete or return all your customers' personal data within 30 days.

A full Data Processing Addendum (DPA) compliant with GDPR Art. 28, including Standard Contractual Clauses for any non-EEA transfers, is available on request at legal@retainlab.io.

6. API key security

Your Stripe API credentials are stored encrypted at rest using AES-256 encryption. We strongly recommend using a restricted API key with only the minimum permissions required (read access to customers and subscriptions). We never store or transmit payment card data — Stripe processes all payments directly. If you suspect your API key has been compromised, revoke it immediately in your Stripe dashboard and reconnect.

7. Your rights under GDPR

• Right of access (Art. 15): Request a copy of all personal data we hold about you as a controller.
• Right to rectification (Art. 16): Correct inaccurate data via your account settings or by emailing us.
• Right to erasure (Art. 17): Request deletion of your account and associated data (subject to legal retention obligations).
• Right to portability (Art. 20): Receive your data in a structured, machine-readable format (JSON/CSV).
• Right to object (Art. 21): Object to processing based on legitimate interest. We will cease unless we have compelling grounds.
• Right to restrict processing (Art. 18): Request we limit how we use your data while a dispute is resolved.

To exercise any right, email privacy@retainlab.io. We respond within 30 days (extendable by a further 60 days for complex requests, with notice). You may also lodge a complaint with the Dutch DPA: autoriteitpersoonsgegevens.nl.

8. Security

We implement technical and organisational measures under GDPR Art. 32 including: TLS 1.2+ encryption in transit, AES-256 encryption at rest for sensitive credentials, role-based access controls, server-side authentication for all API endpoints, and regular security reviews. Payment card data is never stored on our servers. Stripe handles all card processing and is PCI DSS compliant.

9. Cookies

We use strictly necessary cookies for authentication (Clerk session token) and CSRF security. We do not use tracking, advertising, or third-party analytics cookies. No consent banner is required for strictly necessary cookies under ePrivacy Directive Art. 5(3) and the Dutch Telecommunications Act.

10. International data transfers

Your account data is processed primarily within the EU (Hetzner, Supabase, Resend). Where data is transferred to the USA (Clerk, Stripe), such transfers are protected by Standard Contractual Clauses (EU Commission Decision 2021/914). No transfers are made to countries without an adequacy decision or appropriate safeguards.

11. Changes to this policy

We will notify you of material changes via email at least 14 days before they take effect. The updated policy will be published at retainlab.io/privacy. Continued use after the effective date constitutes acceptance.