Privacy Policy
Version 1.0 — Last updated 2 April 2026
This Privacy Policy describes how Redpine Technology AB, reg. no. 559499-8824, Sweden ("Redpine", "we", "us") collects, uses, and shares personal data when you use the Redpine platform.
1. Controller
Redpine Technology AB is the data controller for personal data processed through the platform. Contact: [email protected].
2. Data We Collect
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, authentication, service communications | Contract (Art. 6(1)(b) GDPR) |
| Display name | Personalisation and team membership | Contract (Art. 6(1)(b) GDPR) |
| Firebase UID | Authentication identity linking | Contract (Art. 6(1)(b) GDPR) |
| IP address | Security, abuse prevention, rate limiting | Legitimate interests (Art. 6(1)(f) GDPR) |
| Payment information | Credit purchases processed by Stripe | Contract (Art. 6(1)(b) GDPR) |
| API usage logs | Billing, debugging, abuse detection | Legitimate interests (Art. 6(1)(f) GDPR) |
| Organisation membership | Access control and team management | Contract (Art. 6(1)(b) GDPR) |
| Agreement acceptance records | Legal compliance and dispute resolution | Legal obligation (Art. 6(1)(c) GDPR) |
3. How We Use Your Data
- Providing the service — Processing requests, managing accounts, enabling API access (legal basis: contract)
- Billing — Processing credit purchases and maintaining billing records (legal basis: contract and legal obligation)
- Security — Detecting and preventing fraud, abuse, and unauthorised access (legal basis: legitimate interests)
- Communications — Sending service updates, important notices, and support responses (legal basis: contract and legitimate interests)
- Legal compliance — Retaining records as required by applicable law (legal basis: legal obligation)
4. Third-Party Processors
We share your data with the following sub-processors:
| Processor | Purpose | Location |
|---|---|---|
| Google / Firebase | Authentication, cloud infrastructure, database | EU (europe-west1) |
| Stripe | Payment processing | US (SCCs in place) |
| Mailgun | Transactional email delivery | EU |
| Google Cloud Platform | Hosting, storage, logging | EU (europe-west1) |
5. Data Retention
- Account data — Retained while your account is active. Deleted within 30 days of a verified account deletion request, subject to the exceptions below.
- Billing records — Retained for 7 years to comply with Swedish accounting law (Bokföringslagen).
- API usage logs — Retained for 24 months for billing verification and abuse detection, then deleted.
- Agreement acceptance records — Retained indefinitely as evidence of legal acceptance; these records are exempt from standard deletion requests.
6. Your Rights (GDPR)
If you are located in the European Economic Area, you have the following rights under the GDPR:
- Right of access — Request a copy of the personal data we hold about you.
- Right to rectification — Request correction of inaccurate or incomplete data.
- Right to erasure — Request deletion of your personal data, subject to legal retention obligations.
- Right to restriction — Request that we restrict processing of your data in certain circumstances.
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to object — Object to processing based on legitimate interests.
To exercise any of these rights, email [email protected]. We will respond within one month. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at imy.se.
7. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know — Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, or sell.
- Right to delete — Request deletion of personal information we have collected from you.
- Right to correct — Request correction of inaccurate personal information.
- Right to opt out — We do not sell or share personal information for cross-context behavioural advertising.
- Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.
You may submit requests via email to [email protected]. You may also designate an authorised agent to submit requests on your behalf; the agent must provide written authorisation or power of attorney.
8. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.
9. International Transfers
Your data is primarily processed in the EU (Google Cloud europe-west1 region). Where we transfer data to processors in the United States (such as Stripe), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection.
10. Children
The platform is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on the platform. Your continued use of the platform after the effective date constitutes acceptance of the updated policy.
12. Contact
Redpine Technology AB
Email: [email protected]
Sweden, reg. no. 559499-8824
For more information about how cookies are used, see our Cookie Policy.