RINSlab

Privacy Policy

Effective date: 3 July 2026

This Privacy Policy explains how RINSlab processes personal data — what we collect, why, who we share it with, how long we keep it, and the rights you have. It applies to everyone who uses the service: signed-in users and the people you share poll links with.

1. Who runs the service

RINSlab is operated by Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701. For privacy matters, contact us at privacy@rinslab.com.

For the purposes of EU/UK GDPR:

  • We act as controller for account, billing, and service-security data.
  • We act as processor for workspace content and poll-response data we process on behalf of the workspace owner. That processing is governed by our Data Processing Terms.
  • The workspace owner is the controller of the data they collect from their respondents.

2. Data we collect

Account data

  • Email address.
  • Display name (optional).
  • Authentication identifiers (from your Google or magic-link sign-in provider). We never receive a password.
  • Workspace memberships and roles.
  • Basic usage information, such as sign-in timestamps.

Billing data (if you subscribe)

  • Stripe customer and subscription IDs.
  • Subscription status and current billing period.
  • Billing metadata. We never see or store your card details — those are handled entirely by Stripe.

Workspace data (what you create)

  • Workspace name and optional logo.
  • Feature definitions (name, description, notes).
  • Member invitations — if a workspace admin invites you, we receive your email address from that admin (not from you) and use it only to deliver and manage the invitation. It's kept only until the invite is accepted or expires.

Poll responses

When a respondent answers one of your poll links, we store only:

  • The two Kano ratings (1–5 for the functional and dysfunctional questions).
  • An optional importance rating (1–9).
  • The feature the answer belongs to.
  • A timestamp.

Respondents don't sign up or sign in. We do not ask respondents for their name or email address. Responses are stored without direct identifiers and are not linked to user accounts or to other responses from the same respondent.

3. Technical and security data

Server logs

Our infrastructure provider (Vercel) may process IP addresses, user-agent strings, and request metadata for a short operational period (typically a few days) to keep the service secure and reliable. We don't use server logs for profiling or advertising.

Authentication cookies

Strictly necessary cookies that keep you signed in.

Workspace and demo cookies

Strictly necessary cookies that remember which workspace you last opened and run the read-only demo. Convenience and session state only — never analytics or tracking.

Bot protection

Public poll pages use Cloudflare Turnstile to block spam and automated abuse. Turnstile processes the respondent's IP address and browser signals solely to tell humans from bots (see the Cloudflare entry in section 5), and may set its own strictly necessary cookie.

For rate-limiting we keep only a short-lived, salted hash of the IP address on our own servers. It is used only for abuse-prevention — never for analytics or profiling — and the raw IP address is never stored or attached to a response.

4. Legal bases for processing (GDPR)

Where EU/UK GDPR applies, we process personal data under:

  • Contract (Art. 6(1)(b)) — to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — prevent abuse, maintain security, diagnose technical issues, and improve the reliability and functionality of the service.
  • Legal obligation (Art. 6(1)(c)) — tax and accounting requirements.
  • Consent (Art. 6(1)(a)) — where required for optional features. You can withdraw consent at any time; withdrawal does not affect processing carried out before the withdrawal.

5. Data sharing (processors)

We don't sell your data and we don't use it for advertising. To run the service we share specific data with the following processors, each contractually bound by data-protection terms:

  • Supabase, Inc.

    Role: Authentication, database hosting, file storage.

    Data shared: Account data, workspace content, poll responses.

    Their privacy policy →

  • Vercel, Inc.

    Role: Application hosting, CDN, and cookieless web analytics on our public pages.

    Data shared: HTTP request data (URLs, IPs, user-agents, response codes) for the operational logging period. For analytics: aggregated page views, referrer, country (IP-derived, not stored), and approximate device class — no cookies, no fingerprinting, and no identifiers that directly identify individual visitors.

    Their privacy policy →

  • Stripe Payments Europe, Ltd. (and affiliates)

    Role: Payment processing under Stripe Managed Payments; merchant of record for VAT/sales-tax collection.

    Data shared: Your name, email, billing address, card details (entered directly on Stripe — we do not receive card data), purchase amounts.

    Their privacy policy →

  • Resend, Inc.

    Role: Transactional email delivery (sign-in links, invite notifications).

    Data shared: Recipient email address and the contents of the message we send.

    Their privacy policy →

  • Cloudflare, Inc.

    Role: Bot protection (Turnstile) on public poll pages, to block automated and spam submissions.

    Data shared: A poll respondent's IP address and browser signals at the moment of submission, sent to Cloudflare to score whether the submission is human. No account data or response content is shared.

    Their privacy policy →

  • Google LLC

    Role: OAuth sign-in (only when you choose “Continue with Google”).

    Data shared: Google provides us your verified email address and a Google-internal account ID; Google learns that you sign in to RINSlab.

    Their privacy policy →

We may also disclose data when required by a binding court order, by a regulator with proper authority, or where strictly necessary to protect the rights, property, or safety of Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701, our users, or the public.

If the service is ever acquired or merged, personal data may be transferred to the successor as part of that transaction, under protections at least as strong as this policy; we'll notify you before your data becomes subject to a different policy.

6. International transfers

Some processors operate outside the EEA/UK. Where personal data is transferred to a country without an adequacy decision, the transfer is safeguarded by an adequacy mechanism (such as the EU–US Data Privacy Framework, where the provider is certified) or the European Commission's Standard Contractual Clauses (and UK equivalents), plus any additional measures required.

7. Data retention

  • Account data — kept until you delete your account. We delete it within 30 days of closure, except where retention is required by law (e.g. invoices for tax).
  • Workspace data and poll responses — kept until the workspace is deleted; deleting the workspace removes them.
  • Server logs — a few days (provider-dependent).
  • Abuse-prevention records — the salted IP hash used for rate-limiting is purged automatically once it's no longer needed (rows older than about 48 hours are removed).
  • Billing records — retained for the period required by tax and accounting law.
  • Pending invites — expire and are deleted after seven (7) days if not accepted.

We may retain data for a limited period in encrypted backups before it is automatically overwritten as part of our normal backup rotation.

8. Your rights

You have rights over the personal data we hold about you. Where EU/UK GDPR applies, these include the rights of access, rectification, erasure, restriction, data portability, objection, and — where we rely on consent — the right to withdraw it. Equivalent rights apply to California residents under CPRA.

We don't make decisions about you that produce legal or similarly significant effects based solely on automated processing.

Some of these you can exercise directly in the product:

  • Access & portability. Download a CSV of your insights at /account/insights-export, whether or not you have an active subscription.
  • Rectification. Edit your display name at /account. Your email is controlled by your sign-in provider — change it there.
  • Erasure. Close your account at /account → Close account.

For anything else — objection, restriction, or a complaint about how we've handled your data — email privacy@rinslab.com.

You also have the right to lodge a complaint with your local data-protection authority. In the EU, find yours at edpb.europa.eu.

Poll responses are stored without direct identifiers, so we are generally unable to associate a stored response with a particular person; requests about a specific response are best directed to the workspace owner who ran the poll.

9. Cookies

We only use strictly necessary cookies — for authentication, workspace functionality, the demo, and bot protection (described in section 3). We don't use advertising or third-party tracking cookies.

On our public pages we use cookieless, aggregated analytics (Vercel) to understand which content is useful. It sets no cookies, doesn't fingerprint your browser, and doesn't collect identifiers that directly identify individual visitors. We don't load analytics on signed-in product pages.

Because we only use strictly necessary cookies and cookieless aggregated analytics, we do not currently rely on cookies that require prior consent under applicable EU/UK ePrivacy rules.

10. Children

RINSlab is not directed at children. We don't knowingly collect personal data from anyone under the age of 16 (or the digital-consent age in your jurisdiction, if higher). If you believe a child has provided personal data to us, contact privacy@rinslab.com and we'll delete it.

11. Security

We use appropriate technical and organisational measures, including encryption in transit, encryption at rest, and role-based access controls. No system is ever fully secure.

If we become aware of a personal-data breach, we'll notify you and the relevant supervisory authority where the law requires.

12. Changes to this policy

We may update this policy as the service evolves. The effective date at the top reflects the most recent change. Material changes will be notified via the service or by email before they take effect.

13. Contact

Questions about this policy? Write to privacy@rinslab.com.

See also our Terms of Service and Data Processing Terms.