Legal hub

Privacy Policy

Last updated: June 18, 2026

RetainerBase (“we,” “us,” or “our”) operates the website at retainerbase.ai and the RetainerBase SaaS platform. This Privacy Policy explains what personal information we collect, why we collect it, how we use and share it, and what rights you have with respect to it. By using the Service you agree to the practices described here.

1. Information We Collect

Account information. When you register, we collect your name, email address, and a hashed password managed by Supabase. You may also add your business name.

Payment information. Payments are processed by Stripe, Inc. We do not store your full card number or bank account details. We receive from Stripe a payment record, method identifier, and status.

Client data you enter. When you use RetainerBase to manage your clients, you enter client names, email addresses, project information, and billing amounts. You are the data controller for this information; we process it on your behalf.

Uploaded files. Files your clients upload via client portals are stored in Supabase Storage and accessible only to you.

Usage and log data. Our servers automatically record IP addresses, browser type, pages visited, referring URLs, and timestamps. This data is used for security and to improve the Service.

Communications. If you contact us by email, we retain that correspondence to assist you and improve support.

2. How We Use Your Information

  • To provide, operate, and improve the Service
  • To process payments and prevent fraud
  • To send transactional emails (invoices, payment reminders, magic-link portal access)
  • To respond to support requests
  • To enforce our Terms of Service and legal obligations
  • To detect, investigate, and prevent security incidents or abuse

We do not use your data for advertising. We do not sell personal data.

3. Data Sharing and Sub-processors

We share personal data only with the following trusted sub-processors:

Supabase, Inc.

Authentication, database storage, and file storage

US / EU

Stripe, Inc.

Payment processing (PCI-DSS Level 1 certified)

US / Global

Transactional email provider

Sending invoices, reminders, and portal links

US

We do not share your data with advertising networks, data brokers, or any other third parties not listed above. We may disclose data if required by law, legal process, or to protect the rights and safety of RetainerBase, its users, or the public.

4. Cookies and Tracking

We use only strictly necessary authentication cookies. We do not use tracking pixels, advertising cookies, or behavioral analytics. See our full Cookie Policy.

5. Data Retention

We retain your account data for as long as your account is active. Client portal data, invoices, and project information are retained until you delete them or close your account.

When you close your account, we delete your personal data within 90 days, except where we are required by law to retain it longer (e.g., financial records for tax purposes, typically 7 years).

6. Security

We implement industry-standard security measures: TLS 1.2+ encryption for data in transit, AES-256 encryption for data at rest (managed by Supabase), and strict access controls. Payments are handled by Stripe, a PCI-DSS Level 1 certified provider. No security measure is 100% foolproof — we will notify you promptly of any breach affecting your account.

7. International Transfers

RetainerBase is based in the United States. If you are located in the EU, EEA, or UK, your data may be transferred to and processed in the US. Such transfers rely on Standard Contractual Clauses or equivalent mechanisms. See our Data Processing Addendum for details.

8. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — obtain a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data
  • Portability — receive your data in a machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to certain processing activities

To exercise any right, email hello@retainerbase.ai. We will respond within 30 days.

EU/UK residents have rights under the GDPR/UK GDPR and may lodge a complaint with their local supervisory authority.

California residents have rights under the CCPA/CPRA, including the right to know, delete, and opt out of sale. We do not sell personal data.

9. Children

The Service is not directed to individuals under 16. We do not knowingly collect personal information from children. If we learn that we have inadvertently collected such data, we will delete it promptly.

10. Changes to This Policy

We will notify registered users of material changes to this Privacy Policy by email at least 30 days before they take effect. The updated policy will be posted on this page with a revised “Last updated” date.

11. Contact

Privacy inquiries: hello@retainerbase.ai
RetainerBase, Texas, United States