Graphic of a large white circular gradient over a blue background with layered curved outlines.
Privacy Policy — RetentionLab
Legal

Privacy Policy

Effective: March 19, 2026
Last updated: March 19, 2026
Version: 1.0
Contents

This Privacy Policy explains how RetentionLab ("we," "us," or "our") collects, uses, and protects information when you use our retention intelligence platform at retentionlab.ai and app.retentionlab.ai. We take your privacy and the privacy of your customers seriously.

01

Overview

RetentionLab connects to your Shopify store to analyze customer retention patterns. This means we handle two types of data: information about you as our customer, and data from your Shopify store about your customers.

The short version: We only collect what we need to provide the Service. We never sell your data. We never share your store data with other RetentionLab customers. You can delete your data anytime. We take security seriously.

02

What We Collect

We collect information in three ways — what you give us directly, what we collect automatically, and what we access from your Shopify store.

Category What it includes Why we collect it
Account information Name, email address, business name, password To create and manage your account
Payment information Billing details processed by Stripe — we never store card numbers To process your subscription
Shopify store data Order history, customer records, purchase behavior To provide retention analysis
Usage data Pages visited, features used, session duration To improve the Service
Communications Emails and messages you send us To respond to support requests
03

How We Use Your Data

We use the information we collect to:

  • Provide, operate, and improve the RetentionLab platform
  • Generate retention analytics, cohort analysis, and at-risk customer reports
  • Send you product updates, billing notifications, and support communications
  • Calculate anonymized DTC industry benchmarks across our customer base
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

We do not use your data to train AI models for third parties, serve advertising, or any purpose beyond what is necessary to provide the Service to you.

04

Shopify Store Data

When you connect your Shopify store, we access the following data through the Shopify API:

  • Order records — order ID, date, amount, status
  • Customer records — name, email address, order count, total spend
  • Order line items — products purchased per order
  • Referring sources and UTM parameters where available

We do not access or store:

  • Payment card numbers or full payment details
  • Product inventory, costs, or margin data
  • Staff accounts or admin credentials
  • Draft orders, abandoned checkouts, or unpublished content

Your customers' data is processed only to provide retention analysis to you. We do not contact your customers directly, market to them, or use their information for any purpose other than generating insights for your account.

Your Shopify store data is stored in isolated, encrypted storage. It is never commingled with data from other RetentionLab customers in a way that could identify your store or your customers.

05

Data Sharing

We do not sell your personal information or your store data. We share data only in the following limited circumstances:

  • Service providers — we share data with third-party vendors who help us operate the Service, such as cloud hosting and payment processing. These providers are contractually bound to use your data only to provide services to us.
  • Legal requirements — we may disclose information if required by law, court order, or government authority.
  • Business transfers — if RetentionLab is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you in advance.
  • With your consent — we may share information in other circumstances with your explicit permission.

We never share individual store data with other RetentionLab customers. Anonymized, aggregated benchmark statistics derived from across our customer base may be used to power our DTC industry benchmarks — this data cannot be used to identify your store, your customers, or your revenue.

06

Sub-Processors

We use the following third-party service providers to operate RetentionLab. Each is bound by data processing agreements that require them to protect your data:

Provider Purpose Location
Stripe Payment processing and subscription management United States
Shopify Store data access via API United States / Canada
Vercel / AWS Cloud infrastructure and hosting United States
Anthropic AI-powered campaign drafting (Agent plan only) United States
Postmark / SendGrid Transactional email delivery United States

We will update this list when we add new sub-processors and notify Enterprise customers in advance of any material changes.

07

Data Retention

We retain your data for as long as your account is active and for a reasonable period afterward to comply with legal obligations and resolve disputes.

  • Active accounts — we retain your account information and store data for the duration of your subscription
  • After cancellation — your store data is deleted within 30 days of account termination
  • Billing records — payment records are retained for 7 years as required by financial regulations
  • Immediate deletion — you may request immediate deletion of your store data by emailing insights@retentionlab.ai
08

Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit using TLS 1.2 or higher
  • Store data is encrypted at rest using AES-256 encryption
  • Access to production systems is restricted to authorized personnel only
  • We conduct regular security reviews and vulnerability assessments
  • Shopify API tokens are stored encrypted and rotated regularly

No system is completely secure. If you discover a security vulnerability, please report it responsibly to security@retentionlab.ai. We will investigate and respond within 48 hours.

In the event of a data breach that affects your information, we will notify you within 72 hours as required by applicable law.

09

Your Rights

You have the following rights regarding your personal information. To exercise any of these rights, contact us at insights@retentionlab.ai.

Access
Request a copy of the personal information we hold about you.
Correction
Ask us to correct inaccurate or incomplete information.
Deletion
Request deletion of your personal data and store data.
Portability
Receive your data in a structured, machine-readable format.
Objection
Object to processing of your data for certain purposes.
Restriction
Request that we limit how we use your data in certain circumstances.

We will respond to all requests within 30 days. We may need to verify your identity before fulfilling a request.

10

CCPA — California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) gives you specific rights regarding your personal information.

Under the CCPA you have the right to:

  • Know what personal information we collect, use, disclose, and sell
  • Request deletion of your personal information
  • Opt out of the sale of your personal information — we do not sell personal information
  • Non-discrimination for exercising your CCPA rights

To submit a CCPA request, email insights@retentionlab.ai with the subject line "CCPA Request." We will respond within 45 days.

In the past 12 months, we have not sold any personal information to third parties.

11

GDPR — European Users

If you are located in the European Economic Area (EEA), the UK, or Switzerland, the General Data Protection Regulation (GDPR) applies to your data.

Our legal bases for processing your personal data are:

  • Contract — processing necessary to provide the Service you have subscribed to
  • Legitimate interests — improving the Service, preventing fraud, and security
  • Legal obligation — compliance with applicable laws
  • Consent — for optional communications such as marketing emails

Data we collect may be transferred to and processed in the United States. We use Standard Contractual Clauses approved by the European Commission to ensure adequate protection for such transfers.

You have the right to lodge a complaint with your local data protection authority. To exercise your GDPR rights, contact us at insights@retentionlab.ai.

For Enterprise customers requiring a formal Data Processing Agreement (DPA) as required under GDPR Article 28, please contact us at insights@retentionlab.ai and we will provide a signed DPA.

12

Cookies

We use cookies and similar tracking technologies to operate the Service and improve your experience.

Type Purpose Duration
Essential Authentication, session management, security Session / 30 days
Functional Remembering your preferences and settings 1 year
Analytics Understanding how the Service is used to improve it 2 years

You can control cookies through your browser settings. Disabling essential cookies may prevent parts of the Service from functioning correctly.

13

Changes and Contact

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

If you have questions about this Privacy Policy or how we handle your data, please contact us:

Questions about your data?

We take privacy seriously and respond to every request. Whether you need a copy of your data, want something deleted, or need a formal DPA for your enterprise plan — just ask.

Contact insights@retentionlab.ai

See your revenue at risk in 3 minutes.

Connect your Shopify store in under 3 minutes. No developer needed. No credit card required. Just your real data, instantly.
See my revenue at risk — free
Book a 15-min demo
Know who's leaving before they go.

© 2026 RetentionLab
Home
Home
Features
Features
Pricing
Pricing
Blog
Blog
Contact
Contact