Legal hub

Data Processing Addendum

Last updated: June 18, 2026

This Data Processing Addendum (“DPA”) supplements and is incorporated into the RetainerBase Terms of Service. It applies when you (“Controller”) use RetainerBase to store or process personal data of your clients or other individuals, and you are subject to applicable data protection law such as the EU General Data Protection Regulation (GDPR) or UK GDPR.

1. Definitions

  • “Personal Data” — any information relating to an identified or identifiable natural person, as defined in applicable data protection law.
  • “Processing” — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
  • “Controller” — you, the RetainerBase customer, who determines the purposes and means of Processing.
  • “Processor” — RetainerBase, which Processes Personal Data only on your behalf and instructions.
  • “Sub-processor” — any third party engaged by RetainerBase to assist in Processing Personal Data.
  • “Data Subject” — the individual whose Personal Data is being Processed (e.g., your client).

2. Scope and Nature of Processing

RetainerBase processes the following categories of Personal Data on your behalf:

CategoryExamples
Identity dataClient name, business name
Contact dataClient email address
Financial dataInvoice amounts, payment status
Project dataProject names, status notes
Uploaded filesAssets and documents clients upload to portals

Purpose of Processing: To provide you with the RetainerBase billing and client portal service as described in the Terms of Service.
Duration: For the period you maintain a RetainerBase account. Data will be deleted within 90 days of account closure per Section 8 below.

3. Processor Obligations

RetainerBase shall:

  • Process Personal Data only on your documented instructions (including as set out in the Terms of Service and this DPA)
  • Ensure that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations
  • Implement and maintain the technical and organizational security measures described in Section 6
  • Not engage new Sub-processors without providing you reasonable prior notice (Section 4)
  • Assist you, where technically feasible, in responding to Data Subject rights requests (Section 7)
  • Notify you without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data breach affecting your data
  • Delete or return all Personal Data upon termination per Section 8, and delete existing copies unless retention is required by law
  • Provide reasonable assistance to allow you to conduct and document data protection impact assessments (DPIAs) where required

4. Sub-processors

You grant RetainerBase general authorization to engage the following Sub-processors:

Supabase, Inc.Database, authentication, file storage

Data location: US / EU

Privacy policy ↗

Stripe, Inc.Payment processing

Data location: US / Global

Privacy policy ↗

Transactional email providerEmail delivery for invoices and reminders

Data location: US

We will inform you of any intended change to Sub-processors with at least 14 days’ notice, giving you the opportunity to object. If you reasonably object, we will work with you to find an alternative solution.

5. International Data Transfers

Personal Data may be transferred to and processed in the United States and other countries outside the EU/EEA. For transfers from the EU/EEA or UK subject to GDPR or UK GDPR, RetainerBase relies on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent approved transfer mechanisms. Upon written request, we will provide you with the applicable SCCs.

6. Technical and Organizational Security Measures

RetainerBase implements the following measures:

  • Encryption in transit: TLS 1.2 or higher for all data transmission
  • Encryption at rest: AES-256 encryption for stored data, managed by Supabase
  • Access controls: Role-based access and principle of least privilege
  • Authentication: Secure session management via Supabase Auth
  • Logging and monitoring: Security event logging for anomaly detection
  • Vendor security: Sub-processors are contractually required to maintain equivalent security standards

7. Data Subject Rights

You are responsible for responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection). RetainerBase will assist you in fulfilling such requests where technically feasible — for example, by enabling you to export or delete client records from your dashboard. Where you require our direct assistance, email hello@retainerbase.ai.

8. Return and Deletion of Data

Upon termination of your RetainerBase account (for any reason), you may request an export of your data within 30 days of termination. After that window — or upon your instruction — we will delete all Personal Data within 90 days, except where retention is required by applicable law.

9. Audit Rights

You may request written confirmation of our compliance with this DPA no more than once per calendar year. We will respond within 30 days. On-site audits are not offered at this time; we will provide reasonable documentary evidence of compliance in lieu.

10. Conflict

In the event of any conflict between this DPA and the Terms of Service with respect to data protection matters, this DPA shall prevail.

11. Contact

Data protection inquiries: hello@retainerbase.ai
RetainerBase, Texas, United States