Privacy Policy

RINSlab is operated by Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701. For privacy matters you can reach us at privacy@rinslab.com. Under EU/UK GDPR, Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701 is the controller of personal data about its account holders, and a processor of the workspace content + poll responses you collect through the service (where you are the controller of that content).

Three categories of data flow through the service.

Account data (about signed-in users)

• Email address. Provided by your sign-in provider (Google) or entered for magic-link sign-in. Required to authenticate you and to send transactional email.
• Display name.Optional. Used to show teammates who's who and to address you in transactional email. Editable from /account.
• OAuth provider identifier.If you sign in with Google, the provider gives us a stable internal user ID and your verified email. We don't receive a password.
• Workspace memberships and roles. Which workspaces you belong to, what role you have, and who invited you.
• Billing data (if you subscribe). Your Stripe customer + subscription IDs, subscription status, and the current period end. We never see or store your card details — card data is handled entirely by Stripe.

Workspace content (what you create)

• Workspace name and optional logo (uploaded by an admin; shown to poll respondents).
• Features you add: name, short description, optional note, share token (the random ID in your poll URL).
• Email addresses you enter on the Members page when you invite someone who doesn't yet have an account (kept only until they accept or the invite expires).

Poll responses (from people you share links with)

When someone opens one of your poll links and answers, we store onlythe two Kano ratings (a 1–5 score for the “feature present” question and a 1–5 score for the “feature absent” question), the feature it belongs to, and a timestamp.

We do not ask respondents for their name, email, IP, or any other identifying information. Responses are not linked to a user account. Respondents do not need to sign up to RINSlab to answer.

Technical data

• Server logs.Our hosting provider (Vercel) records HTTP requests, IP addresses, and user-agent strings for the operational period typical of web infrastructure (usually a few days), to keep the service running and to mitigate abuse. We don't use these logs for analytics or profiling.
• Authentication cookies. Set by our authentication provider (Supabase) to keep you signed in. Strictly necessary; no third-party analytics.
• Workspace cookie (rins_current_workspace). A non-identifying ID that remembers which workspace you last opened. Convenience only.
• Demo cookie (rins_demo_mode). Set when an anonymous visitor enters the demo; flagged so the app knows to render the demo as read-only.

Where EU/UK GDPR applies, we rely on the following lawful bases for processing personal data:

• Contract (Art. 6(1)(b) GDPR) — to provide the service you signed up for, including authenticating you, hosting your workspaces, processing payments, and sending transactional email (sign-in links, invite notifications, billing receipts).
• Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse, debug issues, and operate at a reasonable cost. Where we rely on this basis we balance it against your interests and rights; you can object (see section 7).
• Legal obligation (Art. 6(1)(c)) — to keep records required by tax, accounting, or law enforcement legislation applicable to Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701.
• Consent(Art. 6(1)(a)) — for anything optional that needs it. We don't currently run marketing email campaigns or ad-tracking that would require consent; if that changes you'll see an opt-in prompt.

We don't sell your data and we don't use it for advertising. To run the service we share specific data with the following processors, each contractually bound by data-protection terms:

• Supabase, Inc.

  Role: Authentication, database hosting, file storage.

  Data shared: Account data, workspace content, poll responses.

  Their privacy policy →

• Vercel, Inc.

  Role: Application hosting, CDN, and cookieless web analytics on our public pages.

  Data shared: HTTP request data (URLs, IPs, user-agents, response codes) for the operational logging period. For analytics: aggregated page views, referrer, country (IP-derived, not stored), and approximate device class — no cookies, no fingerprinting, no personal identifiers.

  Their privacy policy →

• Stripe Payments Europe, Ltd. (and affiliates)

  Role: Payment processing under Stripe Managed Payments; merchant of record for VAT/sales-tax collection.

  Data shared: Your name, email, billing address, card details (entered directly on Stripe — we do not receive card data), purchase amounts.

  Their privacy policy →

• Resend, Inc.

  Role: Transactional email delivery (sign-in links, invite notifications).

  Data shared: Recipient email address and the contents of the message we send.

  Their privacy policy →

• Google LLC

  Role: OAuth sign-in (only when you choose “Continue with Google”).

  Data shared: Your verified email address and a Google-internal account ID.

  Their privacy policy →

We may also disclose data when required by a binding court order, by a regulator with proper authority, or where strictly necessary to protect the rights, property, or safety of Lukáš Podhola, IČ: 72929863, Palackého tř. 77, Chrudim 53701, our users, or the public.

Some of our processors are based in the United States. Where personal data is transferred from the EU/UK/EEA to a country without an adequacy decision, the transfer is covered by the European Commission's Standard Contractual Clauses and any supplementary measures required by the provider's data-processing addendum.

• Account data is kept while your account is active. When you close your account we delete it on a best-effort basis within thirty (30) days, except where retention is required by law (e.g. invoices for tax purposes, which we keep for the period required by the Czech Republic tax legislation).
• Workspace content and poll responses are kept while the workspace exists. Deleting the workspace removes them. If you're the sole admin of a workspace and you close your account, the workspace and its data are deleted with you.
• Pending invites expire and are deleted after seven (7) days if not accepted.
• Billing records (kept on Stripe and a subset on our side: customer + subscription IDs, statuses, period end dates) are retained for the period required by tax and accounting law in the Czech Republic, typically several years.
• Server logsfollow our hosting provider's standard retention (typically a few days for operational logs).

You have rights over the personal data we hold about you. Where EU/UK GDPR applies these include the rights of access, rectification, erasure, restriction of processing, data portability, and objection. Equivalent rights apply to California residents under CPRA.

Mechanics already implemented in the product:

• Access & portability. Download a CSV of your insights at /account/insights-export. This works whether or not you currently have an active subscription.
• Rectification. Edit your display name at /account. Your email is controlled by your sign-in provider — change it there.
• Erasure. Close your account from /account → Close account. The flow lets you transfer billing for workspaces you superadmin to another admin, or delete them outright.

For anything else — objections, restrictions, complaints about how we've handled your data — email privacy@rinslab.com. We'll respond within thirty (30) days.

You also have the right to lodge a complaint with your local data-protection authority. In the EU, find your national authority at edpb.europa.eu.

We only use cookies that are strictly necessary for the service to function — authentication and the remember-which-workspace helpers listed in section 2. We don't use advertising or third-party tracking cookies.

On our public pages (landing, demo, help, pricing, terms, and privacy policy), and during anonymous demo sessions, we use Vercel's cookieless analytics to count page views and understand which content is useful. It does not set cookies, does not fingerprint your browser, and does not collect personal identifiers — it stores aggregated counts and IP-derived country only (the IP itself is not stored). See the Vercel entry in section 4 for the full data list.

We do not load analytics on signed-in product pages (your dashboard, insights, account settings, members, workspaces).

Because no analytics, advertising, or tracking cookies are set anywhere, no consent banner is required under EU/UK rules — strictly-necessary cookies and cookieless aggregate measurement do not need prior consent.

RINSlabis not directed at children. We don't knowingly collect personal data from anyone under the age of 16 (or the digital-consent age in your jurisdiction, if higher). If you become aware that a child has provided personal data to us, please contact privacy@rinslab.com and we'll delete it.

We rely on the same security infrastructure as our processors (encryption in transit, encryption at rest at the database layer, role-scoped access control). No system is perfectly secure — we strongly recommend you enable two-factor authentication on the Google account or email account you use to sign in.

If we become aware of a breach affecting your personal data, we'll notify you and the relevant data-protection authority where required by law.

We may update this policy as the service evolves. The effective date at the top reflects the most recent change. Material changes will be notified via the service or by email before they take effect.

For anything in this policy, write to privacy@rinslab.com.