Privacy Policy

1. Introduction

Keepbase ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our subscription retention platform and services (the "Service").

This policy applies to all users of keepbase.dev and our related services. By using the Service, you consent to the data practices described in this policy.

Effective Date: February 9, 2026
Contact: For privacy-related questions, email us at hello@keepbase.dev

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

• Email address (required for authentication)
• Name (optional, if provided)
• Company information (optional, business name)
• Password (encrypted, never stored in plain text)

2.2 Stripe Integration Data

When you connect your Stripe account via OAuth, we collect and store:

• Stripe account ID (for API access)
• OAuth access tokens (encrypted using AES-256-GCM)
• Subscription data (customer IDs, subscription status, pricing tiers)
• Webhook events (subscription updates, cancellations, payment events)

Important: We do not store credit card numbers, CVV codes, or full payment card details. All payment processing is handled by Stripe.

2.3 Usage Data

We automatically collect information about how you use the Service:

• Dashboard interactions and feature usage
• API requests and response times
• Browser type, device type, and operating system
• IP address and geographic location (country/region level)
• Pages viewed and time spent on pages

2.4 Cookies and Tracking

We use cookies and similar tracking technologies:

• Essential cookies: Authentication, session management (required for Service functionality)
• Analytics cookies: Usage patterns, performance monitoring (optional, can be disabled)
• Preference cookies: UI settings, dashboard configurations

2.5 End-User Data (Your Customers)

When your customers interact with retention offers presented by Keepbase, we collect:

• Cancellation survey responses (feedback text, selected reasons)
• Retention offer interactions (views, accepts, declines)
• Customer subscription IDs (hashed, one-way encryption)

We do not collect personally identifiable information (names, emails, addresses) from your customers beyond what is necessary for the retention flow.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: Provide and maintain the subscription retention platform, including displaying retention offers and processing customer feedback
• Authentication: Verify your identity and manage your account access
• Stripe Integration: Sync subscription data, monitor cancellations, and apply retention offers
• Analytics: Analyze churn patterns, measure save rates, and provide insights on subscription health
• Product Improvement: Enhance features, fix bugs, and develop new functionality
• Communication: Send service updates, security alerts, and support responses
• Compliance: Comply with legal obligations, prevent fraud, and enforce our Terms of Service

We do not sell your personal information to third parties. We do not use your data for advertising or marketing purposes beyond our own Service.

4. Data Sharing and Third-Party Services

We share your information with the following third-party service providers who help us operate the Service:

4.1 Stripe (Payment Processing)

• Purpose: Process subscription payments, manage connected accounts via OAuth, access subscription data
• Data Shared: Stripe account ID, OAuth tokens, subscription information, customer IDs
• Privacy Policy: https://stripe.com/privacy
• Location: United States

4.2 Supabase (Database Hosting)

• Purpose: Store account information, subscription data, and application state
• Data Shared: All user account data, encrypted Stripe tokens, subscription records
• Privacy Policy: https://supabase.com/privacy
• Location: United States (US East region)
• Security: Row-level security (RLS) policies, encrypted connections

4.3 Vercel (Application Hosting)

• Purpose: Host and serve the Keepbase web application
• Data Shared: Application logs, performance metrics, request metadata
• Privacy Policy: https://vercel.com/legal/privacy-policy
• Location: United States

4.4 Upstash Redis (Rate Limiting)

• Purpose: Distributed rate limiting to prevent abuse
• Data Shared: Request counts, IP addresses (temporary, auto-expire)
• Privacy Policy: https://upstash.com/privacy
• Location: Global (edge network)

4.5 Sentry (Error Tracking & Session Replay)

• Purpose: Error monitoring, crash reporting, and session replay for debugging
• Data Shared: Error logs, stack traces, browser information, session recordings (with consent)
• Privacy Policy: https://sentry.io/privacy/
• Location: United States
• Consent Required: Yes - Sentry is only activated when you accept analytics cookies via our cookie consent banner

4.6 No Selling of Personal Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. All third-party services listed above are strictly service providers who help us operate the platform.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in Transit: All data transmitted to and from Keepbase is encrypted using TLS 1.3
• Encryption at Rest: Sensitive data is encrypted in our database using AES-256 encryption
• Token Encryption: Stripe OAuth tokens are encrypted using AES-256-GCM with unique encryption keys
• Row-Level Security: Database access is restricted by user-level permissions
• Access Controls: Employee access to production data is limited and logged
• Security Audits: Regular security reviews and vulnerability assessments
• Breach Notification: In the event of a data breach, affected users will be notified within 72 hours as required by law

While we implement strong security measures, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

6. Data Retention

6.1 Active Accounts

We retain your account data and subscription information for the duration of your active subscription to provide the Service.

6.2 Cancelled Accounts

When you cancel your Keepbase account, we will:

• Delete personal data after 30 days: Email addresses, names, company information, Stripe OAuth tokens (encrypted)
• Retain anonymized analytics indefinitely: Subscription metrics, churn patterns, save rates (with customer IDs hashed)

This approach allows us to improve the product while respecting your privacy rights.

6.3 Legal Compliance

We may retain certain data for longer periods if required by law, to resolve disputes, enforce our Terms of Service, or comply with regulatory obligations.

6.4 Anonymized Analytics (GDPR/CCPA Compliant)

We retain anonymized analytics data indefinitely for product improvement purposes. This data is compliant with GDPR Article 89 and CCPA regulations because:

• Customer IDs are hashed using one-way encryption (cannot be reversed to identify individuals)
• Email addresses and names are completely removed
• Data is used only for aggregate analytics and product insights
• No personally identifiable information (PII) is retained

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

7.1 GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), you have the following rights under GDPR:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete personal data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data
• Right to Data Portability: Receive your data in a machine-readable format (JSON or CSV)
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent for data processing at any time

7.2 CCPA Rights (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: Opt-out of the "sale" of personal information (note: we do not sell personal data)
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights

7.3 How to Exercise Your Rights

To exercise any of these rights, email us at hello@keepbase.dev with the subject line "Privacy Rights Request." We will respond within 30 days.

You can also manage your data directly in your account settings:

• Update your email and profile information
• Export your subscription data (Dashboard → Settings → Export Data)
• Delete your account (Dashboard → Settings → Delete Account)

8. Cookies and Tracking Technologies

We use cookies and similar technologies to provide and improve the Service:

8.1 Essential Cookies (Required)

These cookies are necessary for the Service to function:

• Authentication session cookies (login state)
• CSRF protection tokens (security)
• Load balancing cookies (performance)

8.2 Analytics Cookies (Optional)

These cookies help us understand how users interact with the Service:

• Sentry Error Tracking: Captures errors and crashes to help us fix bugs
• Sentry Session Replay: Records anonymous session replays for debugging (only with your consent)
• Usage Analytics: Measures feature adoption and usage patterns

Important: Analytics cookies are only activated after you consent via our cookie banner. You can change your preferences at any time by clicking "Cookies" in the footer.

8.3 How to Control Cookies

We provide a cookie consent banner when you first visit our site. You can manage your cookie preferences:

• Cookie Banner: Accept or reject all cookies, or customize your preferences
• Footer Link: Click "Cookies" in the footer to change your preferences at any time
• Browser Settings: Most browsers allow you to block or delete cookies
• Note: Disabling essential cookies will prevent you from using the Service
• For more information, visit aboutcookies.org

9. International Data Transfers

Keepbase is based in the United States. Your information may be transferred to and processed in the United States or other countries where our service providers operate.

For European Users: We implement appropriate safeguards for international data transfers, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Ensuring our service providers adhere to GDPR-equivalent protections

By using the Service, you consent to the transfer of your information to the United States and other jurisdictions.

10. Children's Privacy

Keepbase is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at hello@keepbase.dev. We will delete such information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email (to the address associated with your account)
• Display a prominent notice on the Service

Your continued use of the Service after changes are posted constitutes acceptance of the updated Privacy Policy.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Email: hello@keepbase.dev
Website: https://keepbase.dev

For privacy rights requests (GDPR/CCPA), please use the subject line "Privacy Rights Request" to ensure prompt handling.