Legal
Privacy Policy
Last updated: 10 March 2026
1. Who We Are
retainr (“retainr”, “we”, “us”, “our”) is operated by datadir s.r.o. (in process of registration), registered in the Czech Republic, European Union.
retainr provides an AI agent memory persistence API that enables Make.com, n8n, Zapier, and similar automation platforms to store and retrieve context across workflow runs.
As the entity that determines the purposes and means of processing personal data described in this policy, retainr is the data controller under Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”).
Contact: [email protected]
2. Scope of This Policy
This policy applies to:
- Visitors to retainr.dev and its subdomains
- Users who create an account and use the retainr API
- End-users whose data is submitted to retainr by our customers via the API
If you are an end-user (e.g. a customer of a business that uses retainr), the business that deployed retainr is the data controller for your data. We process it as their data processor. Please contact that business to exercise your rights.
3. Personal Data We Collect
3.1 Account and billing data
When you register for an account, we collect:
- Email address
- Password (stored as a bcrypt hash — never in plain text)
- Billing name and address (collected by Stripe on our behalf)
- Payment method details (held exclusively by Stripe — we never see full card numbers)
3.2 API usage data
When you use the retainr API, we process:
- API requests, including HTTP method, path, response status, and latency
- Workspace identifier and API key prefix (first 12 characters only)
- Operation counts for billing and quota enforcement
- Memory content you store (“memory payloads”) and the user identifiers you associate with them — this is data you control and may contain personal data about your end-users
3.3 Technical and analytics data
When you visit our website, we automatically collect:
- IP address (anonymised before storage)
- Browser type and operating system
- Pages visited and referrer URL
- Session duration
We use Umami Analytics, a self-hosted, privacy-first analytics tool. Umami does not use cookies and does not share data with third parties. All analytics data is stored on our own infrastructure in the EU (Hetzner, Germany).
3.4 Communications
If you contact us by email, we retain that correspondence including your email address and the content of your message for the duration of our relationship plus two years.
4. Legal Bases for Processing (GDPR Article 6)
| Purpose | Legal basis |
|---|---|
| Providing the API service and your account | Art. 6(1)(b) — performance of a contract |
| Sending transactional emails (API key, invoices, alerts) | Art. 6(1)(b) — performance of a contract |
| Processing payments via Stripe | Art. 6(1)(b) — performance of a contract |
| Fraud prevention and security monitoring | Art. 6(1)(f) — legitimate interests |
| Improving and developing the service | Art. 6(1)(f) — legitimate interests |
| Website analytics (Umami) | Art. 6(1)(f) — legitimate interests (privacy-preserving, no cookies) |
| Compliance with legal obligations (tax, accounting) | Art. 6(1)(c) — legal obligation |
| Responding to your support requests | Art. 6(1)(b) — contract / Art. 6(1)(f) — legitimate interests |
We do not rely on consent as a legal basis for any processing listed above. We do not send marketing emails. If we ever do, we will obtain opt-in consent separately and provide a clear unsubscribe mechanism.
5. How We Use Your Data
- Service delivery: authenticating your requests, enforcing quotas, routing API calls.
- Billing: generating invoices, processing subscription changes and refunds via Stripe.
- Transactional email: delivering your API key, billing receipts, and critical service alerts via Resend.
- Vector embeddings: when you store a memory, its text is sent to Voyage AI to generate a numerical embedding for semantic search. We do not use your data to train Voyage AI models.
- Security: detecting abuse, rate-limit violations, and API key misuse.
- Service improvement: aggregate, anonymised usage patterns to prioritise features.
We do not sell, rent, or share your personal data with third parties for their own marketing or advertising purposes. We do not use personal data for automated decision-making that produces legal or similarly significant effects.
6. Third-Party Processors
We engage the following sub-processors. Each has been assessed for GDPR compliance. Where a processor is located outside the EEA, we rely on the European Commission's Standard Contractual Clauses (SCCs, 2021 version) or an adequacy decision.
| Processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Hetzner Online GmbH | VPS hosting, PostgreSQL database | Germany (EU) | EEA — no transfer |
| Stripe, Inc. | Payment processing | USA | SCCs + Stripe DPA |
| Resend, Inc. | Transactional email | USA | SCCs + Resend DPA |
| Voyage AI, Inc. | Text embedding generation | USA | SCCs + Voyage AI DPA |
| Vercel, Inc. | Next.js web hosting (retainr.dev) | USA / EU edge | SCCs + Vercel DPA |
| GitHub, Inc. (Microsoft) | Source code, CI/CD | USA | SCCs + Microsoft DPA |
We will notify you of any material changes to sub-processors at least 14 days in advance by email (for paying customers) or via a notice on this page.
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data (email, password hash) | Duration of account + 30 days after deletion request |
| API memory payloads | Until deleted by you via API or account deletion |
| Billing records and invoices | 10 years (Czech accounting law obligation) |
| API request logs (metadata only, no payload) | 90 days rolling |
| Support communications | Duration of relationship + 2 years |
| Anonymised analytics data | 36 months |
Billing records are retained for 10 years to comply with Czech Act No. 563/1991 Coll. on Accounting and Act No. 235/2004 Coll. on Value Added Tax (VAT), which require preservation of tax documents for this period regardless of a deletion request.
8. Your Rights Under GDPR
As a data subject in the European Economic Area (or UK), you have the following rights. You can exercise any of them by emailing [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing the request.
- Right of access (Art. 15): Receive a copy of all personal data we hold about you and information about how we process it.
- Right to rectification (Art. 16): Correct inaccurate or incomplete data.
- Right to erasure / “right to be forgotten” (Art. 17): Request deletion of your data. We will comply unless retention is required by law (e.g. billing records).
- Right to restrict processing (Art. 18): Ask us to pause processing your data while a dispute is resolved.
- Right to data portability (Art. 20): Receive your data in a machine-readable format (JSON) and transfer it to another controller.
- Right to object (Art. 21): Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling grounds.
- Rights related to automated decision-making (Art. 22): We do not carry out solely automated decision-making that produces legal effects.
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. In the Czech Republic, the competent authority is:
Office for Personal Data Protection (Úřad pro ochranu osobních údajů — ÚOOÚ)
Pplk. Sochora 27, 170 00 Prague 7, Czech Republic
Web: https://www.uoou.cz
If you are located in another EU/EEA member state, you may also contact your local supervisory authority. We encourage you to contact us first — we aim to resolve all privacy concerns directly.
10. Cookies
Our website (retainr.dev) does not use tracking cookies, advertising cookies, or third-party analytics cookies.
We set one functional, session-scoped cookie if you sign in to your dashboard. This cookie is strictly necessary for authentication and expires when you close your browser or after 24 hours. It does not require consent under the ePrivacy Directive.
Our analytics tool (Umami) is cookie-free and does not fingerprint users.
11. Security
We implement appropriate technical and organisational measures to protect personal data:
- All data in transit is encrypted using TLS 1.2 or higher
- Passwords are hashed using bcrypt (cost factor ≥ 12)
- API keys are hashed using Argon2id before storage
- Database access requires Row-Level Security (RLS) policies enforced at the PostgreSQL level
- Production infrastructure has no direct public SSH access
- Daily encrypted backups to a separate volume
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay (GDPR Art. 34) where required.
12. Children
The retainr service is not directed to persons under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
13. Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. We will post the revised policy on this page with an updated date. For material changes affecting your rights, we will notify paying customers by email at least 14 days before the change takes effect.
Continued use of retainr after a change takes effect constitutes acceptance of the updated policy.
14. Contact
For any privacy-related questions, requests, or complaints, please contact:
datadir s.r.o. (in process of registration) — Privacy
Email: [email protected]
Response time: within 5 business days for general enquiries; within 30 days for formal GDPR requests