Retenza

Privacy Policy

Last updated: March 4, 2026

Who We Are and How to Contact Us

Retenza is operated by CLARK MEDIA., registered in Toruń, Poland (NIP: 8792694429). We are the data controller for all personal information processed through our platform.

Data Protection Officer: Support@tryretenza.com | CLARK MEDIA, ul. Mazowiecka 52/68, nr 9, 87-100 Toruń, Poland

What Personal Data We Collect

We collect data that you provide directly to us and data generated automatically when you use our services.

  • Account data: name, email address, password (hashed), company name
  • Billing data: billing address, payment method details (handled by Stripe — we never store card numbers)
  • Communication data: support emails you process through our platform, conversation history
  • Usage data: pages visited, features used, session duration, browser type, IP address
  • Integration data: Shopify store URL, OAuth tokens (encrypted at rest), order data fetched during email processing
  • Cookies and tracking data: session cookies, analytics cookies (see our Cookie Policy)

Legal Basis for Processing

We process your personal data only where we have a valid legal basis under GDPR Article 6:

  • Contract performance — to provide you with the Retenza service you subscribed to
  • Legitimate interests — to improve our platform, prevent fraud, and ensure security
  • Legal obligation — to comply with applicable law (tax records, regulatory requirements)
  • Consent — for optional analytics and marketing communications (you can withdraw at any time)

How We Use Your Data

We use your personal data strictly for the purposes described here:

  • Providing and improving the Retenza service
  • Processing customer support emails on your behalf using our AI pipeline
  • Managing your account, subscription, and billing
  • Sending transactional emails (receipts, password resets, usage alerts)
  • Sending product updates and newsletters (only with your consent)
  • Detecting, preventing, and responding to fraud or security incidents
  • Complying with legal and regulatory obligations

Data Sharing and Third Parties

We do not sell your personal data. We share data only with trusted sub-processors required to deliver our service:

  • Stripe (payment processing) — EU-US Data Privacy Framework certified
  • Shopify (e-commerce integration) — data shared only for order lookups initiated by you
  • Anthropic (AI processing) — anonymised email content for AI reply generation; governed by Anthropic's enterprise DPA
  • Google (Gmail integration) — OAuth tokens for email access; governed by Google's API Services User Data Policy
  • Vercel (hosting infrastructure) — servers located in EU regions
  • Redis Cloud (queue processing) — EU-hosted, encrypted in transit and at rest

All sub-processors are bound by Data Processing Agreements (DPAs) ensuring GDPR compliance.

International Data Transfers

Some of our sub-processors are based outside the European Economic Area (EEA). When we transfer personal data internationally, we ensure adequate protection through one of the following mechanisms:

  • EU Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-US Data Privacy Framework (DPF) certification
  • Adequacy decisions recognised by the European Commission

Data Retention

We retain your data only for as long as necessary for the purposes described in this policy:

  • Account data: retained for the duration of your subscription plus 90 days after termination
  • Conversation and email data: retained for 12 months, then anonymised unless you request earlier deletion
  • Billing records: retained for 7 years to comply with Polish tax law
  • Audit logs: retained for 12 months
  • Backups: purged within 30 days of the data deletion date

Your Rights Under GDPR

As a data subject, you have the following rights under GDPR. To exercise any right, contact dpo@retenza.com. We will respond within 30 days.

  • Right of access — request a copy of all personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure ('right to be forgotten') — request deletion of your data where no legal obligation requires us to retain it
  • Right to restriction — request we limit processing of your data in certain circumstances
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent — where processing is based on consent, withdraw it at any time
  • Right to lodge a complaint — with your national supervisory authority (in Poland: UODO, uodo.gov.pl)

Security Measures

We implement technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction:

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Passwords hashed using bcrypt with a minimum cost factor of 12
  • Role-based access control — employees access only the data they need
  • Regular penetration testing and security audits
  • SOC 2 Type II audit in progress
  • Automated vulnerability scanning and dependency monitoring

Cookies

We use cookies and similar tracking technologies. Please read our separate Cookie Policy for full details on the cookies we use, their purpose, and how to manage your preferences.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and update the 'Last updated' date above.

Your continued use of Retenza after any change constitutes acceptance of the updated policy. If you disagree with a change, you may close your account before the effective date.