Retenza

GDPR Compliance

Last updated: March 4, 2026

Data Controller Information

Retenza Sp. z o.o. is the data controller responsible for processing your personal data.

  • Company name: CLARK MEDIA
  • Registered address: ul. mazowiecka 58-62, 87-100 Toruń, Poland
  • Company registration: PL8792694429
  • Data Protection Officer (DPO): Support@tryretenza.com
  • Supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa — uodo.gov.pl

Our Role: Controller vs Processor

Retenza acts in two distinct capacities depending on the context:

  • Data Controller — for data about our own customers (account holders, billing contacts). We determine the purposes and means of processing this data.
  • Data Processor — for personal data of your end-customers (Shopify buyers) that passes through our platform for AI reply generation. You (the Retenza customer) are the data controller for this data. We process it only on your documented instructions.

A Data Processing Agreement (DPA) is available on request at legal@retenza.com and governs our processing activities as data processor.

Legal Bases for Processing

We only process personal data where we have a valid legal basis under GDPR Article 6:

  • Art. 6(1)(b) — Contract performance: processing necessary to provide you with the Retenza service
  • Art. 6(1)(c) — Legal obligation: processing required by applicable law (tax records, regulatory requests)
  • Art. 6(1)(f) — Legitimate interests: fraud prevention, platform security, and service improvement
  • Art. 6(1)(a) — Consent: analytics and marketing communications (withdrawable at any time)

For special categories of data (Art. 9), we rely on explicit consent or legal obligation. Our service is not designed to process special category data and our terms prohibit this without prior written agreement.

Your Rights as a Data Subject

Under GDPR Chapter III, you have the following rights. To exercise any of them, submit a request to dpo@retenza.com. We will acknowledge within 72 hours and respond fully within 30 days (extendable by 2 months for complex requests).

  • Right of access (Art. 15) — obtain confirmation of whether we process your data and a copy of all data held
  • Right to rectification (Art. 16) — correct inaccurate personal data without undue delay
  • Right to erasure (Art. 17) — request deletion where data is no longer needed, consent is withdrawn, or processing is unlawful
  • Right to restriction (Art. 18) — request that we limit processing in specified circumstances
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format (JSON or CSV)
  • Right to object (Art. 21) — object to processing based on legitimate interests or for direct marketing purposes
  • Rights related to automated decision-making (Art. 22) — we do not make solely automated decisions with significant legal effects on individuals
  • Right to lodge a complaint — with UODO or the supervisory authority in your country of residence

Data Retention Periods

We apply strict retention limits and delete data when it is no longer necessary for the purpose for which it was collected:

  • Account and profile data: retained for the duration of the subscription + 90 days post-termination
  • Customer email data (processed for AI replies): 12 months, then anonymised
  • Billing and financial records: 7 years (Polish Accounting Act requirement)
  • Audit logs: 12 months
  • Server logs (IP addresses, access logs): 90 days
  • Anonymised analytics data: indefinitely (no personal data)
  • Data subject requests and responses: 3 years (to demonstrate compliance)

International Data Transfers

When we transfer personal data outside the EEA, we ensure adequate protection through approved mechanisms:

  • EU Standard Contractual Clauses (SCCs) — used with all sub-processors not covered by adequacy decisions
  • EU–US Data Privacy Framework — for US-based sub-processors that are DPF-certified (e.g. Stripe, Anthropic)
  • Adequacy decisions — transfers to countries deemed adequate by the European Commission

A full list of our sub-processors and the transfer mechanisms in place is available on request.

Security and Data Breaches

We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Strict access controls based on least-privilege principle
  • Regular security audits and penetration testing
  • Employee training on data protection and security
  • Incident response plan with defined escalation procedures

In the event of a personal data breach, we will notify the competent supervisory authority (UODO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms. Where the risk is high, affected data subjects will also be notified without undue delay.

Data Processing Agreement (DPA)

If you are a business customer using Retenza to process personal data of your end-customers (e.g. Shopify buyers), you are required to enter into a Data Processing Agreement with us as required by GDPR Article 28.

Our standard DPA is incorporated into our Terms of Service. A detailed DPA with full sub-processor schedules is available upon written request at support@tryretenza.com. Enterprise customers may request a bespoke DPA.

Updates to This Notice

This GDPR notice is reviewed at least annually and whenever there is a material change to our processing activities. We will notify you of significant changes by email and update the 'Last updated' date.

The current version of this notice is always available at tryretenza.com/gdpr.