Effective date: 3 July 2026
This Privacy Policy explains how RINSlab processes personal data — what we collect, why, who we share it with, how long we keep it, and the rights you have. It applies to everyone who uses the service: signed-in users and the people you share poll links with.
RINSlab is operated by Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701. For privacy matters, contact us at privacy@rinslab.com.
For the purposes of EU/UK GDPR:
When a respondent answers one of your poll links, we store only:
Respondents don't sign up or sign in. We do not ask respondents for their name or email address. Responses are stored without direct identifiers and are not linked to user accounts or to other responses from the same respondent.
Our infrastructure provider (Vercel) may process IP addresses, user-agent strings, and request metadata for a short operational period (typically a few days) to keep the service secure and reliable. We don't use server logs for profiling or advertising.
Strictly necessary cookies that keep you signed in.
Strictly necessary cookies that remember which workspace you last opened and run the read-only demo. Convenience and session state only — never analytics or tracking.
Public poll pages use Cloudflare Turnstile to block spam and automated abuse. Turnstile processes the respondent's IP address and browser signals solely to tell humans from bots (see the Cloudflare entry in section 5), and may set its own strictly necessary cookie.
For rate-limiting we keep only a short-lived, salted hash of the IP address on our own servers. It is used only for abuse-prevention — never for analytics or profiling — and the raw IP address is never stored or attached to a response.
Where EU/UK GDPR applies, we process personal data under:
We don't sell your data and we don't use it for advertising. To run the service we share specific data with the following processors, each contractually bound by data-protection terms:
Supabase, Inc.
Role: Authentication, database hosting, file storage.
Data shared: Account data, workspace content, poll responses.
Vercel, Inc.
Role: Application hosting, CDN, and cookieless web analytics on our public pages.
Data shared: HTTP request data (URLs, IPs, user-agents, response codes) for the operational logging period. For analytics: aggregated page views, referrer, country (IP-derived, not stored), and approximate device class — no cookies, no fingerprinting, and no identifiers that directly identify individual visitors.
Stripe Payments Europe, Ltd. (and affiliates)
Role: Payment processing under Stripe Managed Payments; merchant of record for VAT/sales-tax collection.
Data shared: Your name, email, billing address, card details (entered directly on Stripe — we do not receive card data), purchase amounts.
Resend, Inc.
Role: Transactional email delivery (sign-in links, invite notifications).
Data shared: Recipient email address and the contents of the message we send.
Cloudflare, Inc.
Role: Bot protection (Turnstile) on public poll pages, to block automated and spam submissions.
Data shared: A poll respondent's IP address and browser signals at the moment of submission, sent to Cloudflare to score whether the submission is human. No account data or response content is shared.
Google LLC
Role: OAuth sign-in (only when you choose “Continue with Google”).
Data shared: Google provides us your verified email address and a Google-internal account ID; Google learns that you sign in to RINSlab.
We may also disclose data when required by a binding court order, by a regulator with proper authority, or where strictly necessary to protect the rights, property, or safety of Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701, our users, or the public.
If the service is ever acquired or merged, personal data may be transferred to the successor as part of that transaction, under protections at least as strong as this policy; we'll notify you before your data becomes subject to a different policy.
Some processors operate outside the EEA/UK. Where personal data is transferred to a country without an adequacy decision, the transfer is safeguarded by an adequacy mechanism (such as the EU–US Data Privacy Framework, where the provider is certified) or the European Commission's Standard Contractual Clauses (and UK equivalents), plus any additional measures required.
We may retain data for a limited period in encrypted backups before it is automatically overwritten as part of our normal backup rotation.
You have rights over the personal data we hold about you. Where EU/UK GDPR applies, these include the rights of access, rectification, erasure, restriction, data portability, objection, and — where we rely on consent — the right to withdraw it. Equivalent rights apply to California residents under CPRA.
We don't make decisions about you that produce legal or similarly significant effects based solely on automated processing.
Some of these you can exercise directly in the product:
For anything else — objection, restriction, or a complaint about how we've handled your data — email privacy@rinslab.com.
You also have the right to lodge a complaint with your local data-protection authority. In the EU, find yours at edpb.europa.eu.
Poll responses are stored without direct identifiers, so we are generally unable to associate a stored response with a particular person; requests about a specific response are best directed to the workspace owner who ran the poll.
We only use strictly necessary cookies — for authentication, workspace functionality, the demo, and bot protection (described in section 3). We don't use advertising or third-party tracking cookies.
On our public pages we use cookieless, aggregated analytics (Vercel) to understand which content is useful. It sets no cookies, doesn't fingerprint your browser, and doesn't collect identifiers that directly identify individual visitors. We don't load analytics on signed-in product pages.
Because we only use strictly necessary cookies and cookieless aggregated analytics, we do not currently rely on cookies that require prior consent under applicable EU/UK ePrivacy rules.
RINSlab is not directed at children. We don't knowingly collect personal data from anyone under the age of 16 (or the digital-consent age in your jurisdiction, if higher). If you believe a child has provided personal data to us, contact privacy@rinslab.com and we'll delete it.
We use appropriate technical and organisational measures, including encryption in transit, encryption at rest, and role-based access controls. No system is ever fully secure.
If we become aware of a personal-data breach, we'll notify you and the relevant supervisory authority where the law requires.
We may update this policy as the service evolves. The effective date at the top reflects the most recent change. Material changes will be notified via the service or by email before they take effect.
Questions about this policy? Write to privacy@rinslab.com.
See also our Terms of Service and Data Processing Terms.