Privacy Policy

Controller

Hexonis (Daniel Piringer)

Spalatinstr. 40A, 81739 Munich, Germany

Contact for privacy matters: contact@hexonis.com

Scope and role allocation

Hexonis (Daniel Piringer) acts as controller for website operations, account administration, commercial relationships, billing, compliance, fraud prevention, security, product integrity, and direct communications with prospects, customers, and users.

For customer workspace data processed through RetentBase, including hosted cancellation data, custom event ingestion, analytics, and operational reporting, the relevant customer typically remains the controller and Hexonis (Daniel Piringer) acts as processor under the Data Processing Agreement.

If you interact with a cancellation page or workflow configured by one of our customers, that customer may provide additional notices that apply to the customer relationship and the data they choose to submit to RetentBase.

If we receive a request that primarily concerns customer workspace data for which we act only as processor, we may refer or redirect the request to the relevant customer.

Personal data we process

• Identity and business contact data, such as name, business email address, company name, billing contact details, and account role.
• Account and authentication data, such as login identifiers, invite records, password reset metadata, session data, and security challenge results.
• Workspace configuration data, such as workspace names, return URLs, webhook endpoints, offer content, reason lists, and API key metadata.
• Billing and transaction data, such as subscription status, invoices, payment-related metadata, tax information, and Stripe customer or subscription references.
• Cancellation and event data submitted by customers, such as external user identifiers, plan names, reason keys, free-text reason details, offer outcomes, timestamps, and customer-provided metadata.
• Technical, device, and log data, such as IP addresses, request identifiers, browser and network metadata, audit trails, webhook delivery logs, and error diagnostics.
• Support and communication data, such as emails, in-product support requests, report delivery metadata, and business correspondence.

Purposes and legal bases

• Providing, securing, and administering RetentBase, including authentication, workspace setup, hosted flows, APIs, dashboards, and operational emails (Article 6(1)(b) GDPR).
• Managing the commercial relationship, invoicing, tax records, compliance records, and other legal obligations (Article 6(1)(b) and Article 6(1)(c) GDPR).
• Preventing abuse, investigating incidents, enforcing contractual rights, maintaining service integrity, and improving reliability and security (Article 6(1)(f) GDPR).
• Handling support, product feedback, and other business communications (Article 6(1)(b) and Article 6(1)(f) GDPR).
• Documenting legal acceptance, preserving evidence, handling disputes, and establishing, exercising, or defending legal claims (Article 6(1)(c) and Article 6(1)(f) GDPR).
• Reviewing and improving product performance, reliability, and diagnostics using operational and usage data, preferably in aggregated or minimized form where appropriate (Article 6(1)(f) GDPR).
• Sending optional marketing communications or using non-essential technologies only where a separate valid consent or other lawful basis applies (Article 6(1)(a) GDPR, where applicable).

Legitimate interests

• Maintaining network, account, and service security and preventing abuse, fraud, unauthorized access, and misuse.
• Operating an efficient B2B software business, administering customer relationships, collecting fees, and enforcing contractual rights.
• Investigating incidents, preserving evidence, defending legal claims, and protecting the service, our personnel, and other customers.
• Improving reliability, support quality, and product functionality based on operational experience and measured service usage.

Data sources

We collect personal data directly from users, prospects, customer administrators, and other business contacts when they create accounts, accept invites, configure workspaces, contact us, or use the service.

We also receive data from our customers through the hosted cancellation flow, customer APIs, workspace settings, and customer-managed integrations, as well as from payment, authentication, hosting, monitoring, and email-delivery providers involved in operating the service.

Recipients and subprocessors

Personal data is disclosed only to personnel and service providers who need access for the relevant purpose and under appropriate confidentiality and security obligations.

Depending on the situation, data may also be disclosed to professional advisers, auditors, insurers, financing or transaction counterparties, courts, and public authorities where reasonably necessary for lawful business operations, compliance, or the establishment, exercise, or defense of legal claims.

Our current core subprocessors and infrastructure providers relevant to service delivery are Hetzner VPS, Supabase, Cloudflare, Stripe, Sentry, UptimeRobot, and Resend. The current list is published on the Subprocessor List page.

International transfers

Some service providers may process personal data outside the European Economic Area or allow remote access from outside the European Economic Area. Where this happens, we rely on a lawful transfer mechanism under Chapter V GDPR, such as an adequacy decision, the European Commission's Standard Contractual Clauses, or another legally recognized safeguard.

Where Standard Contractual Clauses or comparable safeguards are used, we may supplement them with transfer assessments, contractual controls, provider diligence, and technical or organizational measures appropriate to the transfer risk. Information about the relevant safeguards may be requested via the contact address above where legally required.

We do not represent that every provider processes data exclusively in Germany or the EU. Instead, transfers are assessed and structured to maintain an appropriate level of protection where legally required.

Retention

We retain personal data only for as long as necessary for the relevant purpose, including contract performance, security, support, dispute handling, and legal retention duties.

Account and workspace data are generally kept for the duration of the customer relationship and a limited wind-down period thereafter. Billing and tax records are retained for the statutory retention period. Security logs, diagnostics, support records, and records of legal acceptance may be kept for a limited rolling or evidentiary period unless longer retention is required for investigation, legal claims, or compliance.

Cookies, logs, and similar technologies

• We use essential session and authentication technologies required to operate secure login and account functionality.
• We process server logs, request metadata, and security telemetry to protect the service against abuse, fraud, attacks, and operational failures.
• Cloudflare security services and Turnstile or comparable anti-abuse controls may process device and connection data to distinguish legitimate traffic from automated or malicious traffic.
• Where consent is required for non-essential storage or access technologies under Section 25 TDDDG and Article 6(1)(a) GDPR, we seek that consent before activation.
• Unless separately disclosed and consented to where required, we do not rely on non-essential advertising cookies to operate the core service.

No sale or unrelated monetization of customer workspace data

We do not sell customer workspace personal data to data brokers.

We do not use customer workspace personal data submitted on behalf of a customer to build unrelated advertising or marketing profiles for third parties.

Special categories and data minimization

RetentBase is not designed to require special categories of personal data, payment card data, or other highly sensitive content in free-text fields. Customers and users should avoid submitting such data unless strictly necessary, legally permitted, and appropriately documented.

The service is not intended for children's data, government identifiers, health data, financial account credentials, criminal-offence data, or other regulated high-risk data unless expressly agreed in writing and supported by an appropriate customer compliance assessment.

Children and consumer use

RetentBase is a B2B service and is not directed to children or private consumer use. Customers must not intentionally submit children's personal data or consumer data for purposes outside their own lawful customer relationship and controller obligations.

Requests relating to customer workspace data

If your personal data was submitted to RetentBase by one of our customers in that customer's workspace, that customer is usually the controller responsible for the underlying processing and for responding to rights requests.

In those cases, you should normally contact the relevant customer first. Where we act only as processor, we may forward, redirect, or otherwise handle the request in coordination with that customer and in accordance with applicable law.

Your rights

• You may request access to, rectification of, or erasure of personal data concerning you.
• You may request restriction of processing and may object to processing based on legitimate interests where the legal requirements are met.
• You may request data portability where applicable.
• Where processing is based on consent, you may withdraw consent at any time with effect for the future.
• You may lodge a complaint with a competent supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged infringement.
• Certain rights may be subject to statutory conditions, limitations, and exceptions.

Supervisory authority

You may lodge a complaint with any competent supervisory authority. For Hexonis (Daniel Piringer) as a Bavarian private-sector provider, the competent authority is generally Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.

Requirement to provide data

Certain data is necessary to create accounts, manage workspaces, process billing, secure the service, and provide hosted flows or APIs. If required data is not provided, we may be unable to provide the relevant functionality or enter into or maintain the contract.

Automated decision-making

RetentBase may surface analytics, trends, issue indicators, or operational workflow suggestions, but it does not make solely automated decisions that produce legal effects concerning individuals or similarly significantly affect them within the meaning of Article 22 GDPR.

Contact

Privacy requests and questions may be sent to contact@hexonis.com. We may require reasonable proof of identity before acting on a request.