Privacy policy – Profinto

Last updated: [DATE]

Who we are

This website and the Subscription Manager for Stripe plugin are operated by:

ProductTickler B.V., trading as Profinto
Meerwijkselaan 5
6571 CM Berg en Dal
Netherlands

KVK (Chamber of Commerce): 98314696
VAT number: NL868442197B01
Email: info@profinto.com
Phone: [PHONE_NUMBER]

When this policy says “we”, “our”, or “us”, it refers to ProductTickler B.V. We are the data controller for the personal data described in this policy.

What personal data we collect

We collect different types of personal data depending on how you interact with us.

Direct identifiers

When you purchase a license or create an account through Freemius checkout, we collect your name and email address.

Financial data

Billing addresses and partial payment information (such as the last four digits of your card) are processed through Stripe. We never store full credit card numbers on our servers.

Technical data

When you visit our website, our servers automatically collect your IP address, browser type, operating system, referring URL, pages visited, and timestamps. This data is stored in server access logs.

Plugin usage data

Our WordPress plugin can collect anonymous usage metadata such as plugin version, WordPress version, PHP version, and active feature usage. This telemetry is covered in more detail below under “Plugin telemetry”.

Why we process your data

Under the General Data Protection Regulation (GDPR), we need a lawful basis for each way we use your personal data. The table below maps each processing activity to its legal basis.

Processing activity	Lawful basis	GDPR reference
Account creation and billing	Necessary to perform our contract with you	Article 6(1)(b)
Security logging and fraud prevention	Our legitimate interest in keeping our services secure	Article 6(1)(f)
Marketing emails and newsletters	Your explicit consent, which you can withdraw at any time	Article 6(1)(a)
Tax record keeping	Legal obligation under Dutch and EU tax law	Article 6(1)(c)
Plugin telemetry and usage analytics	Your explicit consent through the opt-in prompt	Article 6(1)(a)

How long we keep your data

We only keep personal data for as long as we need it. Here are the specific retention periods:

Server access logs: 30 days, then automatically deleted.
Backups: 60 days on a rolling basis. Older backups are overwritten.
Transaction and invoice records: 7 years, as required by Dutch tax law (Algemene wet inzake rijksbelastingen).
Account data (name, email, license info): Kept for as long as your account is active. Deleted within 30 days of receiving a valid deletion request.
Plugin telemetry data: Aggregated and anonymized within 90 days of collection. Once aggregated, individual data points are deleted.

Your rights

As a data subject under the GDPR, you have the following rights regarding your personal data:

Right of access (Article 15): You can request a copy of the personal data we hold about you.
Right to rectification (Article 16): You can ask us to correct inaccurate or incomplete data.
Right to erasure (Article 17): You can ask us to delete your personal data. We will do so unless we have a legal obligation to retain it.
Right to restriction (Article 18): You can ask us to limit how we use your data while a complaint or correction is being processed.
Right to data portability (Article 20): You can request your data in a structured, commonly used, machine-readable format.
Right to object (Article 21): You can object to processing based on legitimate interests. We will stop unless we have compelling grounds to continue.

To exercise any of these rights, email us at info@profinto.com. Please include enough information for us to verify your identity (for example, the email address associated with your account). We will respond within 30 days. If we need more time, we will let you know and explain why.

Exercising your rights is free of charge. If a request is clearly unfounded or excessive, we may charge a reasonable fee or refuse the request, but we will always explain our reasoning.

Who we share your data with

We use a limited number of third-party service providers to operate our business. Each provider only processes your data on our behalf and under our instructions.

Provider	Purpose	Location	Transfer safeguard
Stripe	Payment processing and subscription billing	United States	Standard Contractual Clauses (SCCs)
Freemius	License management, checkout, and plugin update delivery	United States / Israel	Standard Contractual Clauses (SCCs)
Strato	Website and email hosting	Germany (EU)	Data stays within the EU; no additional safeguard required
[ANALYTICS_PROVIDER]	Website analytics and visitor statistics	[Location]	[Safeguard]
[EMAIL_PROVIDER]	Transactional and marketing email delivery	[Location]	[Safeguard]

We do not sell, rent, or trade your personal data to any third party. We also do not share your data with third parties for their own marketing purposes.

Plugin telemetry

The Subscription Manager for Stripe plugin includes an optional telemetry feature that helps us understand how the plugin is used and where we should focus improvements.

Telemetry is disabled by default. It is only activated if you explicitly opt in through the consent prompt shown in the plugin settings. You are never required to enable telemetry, and declining does not limit any plugin functionality.

When telemetry is enabled, the plugin may collect:

WordPress version and PHP version
Plugin version and active feature flags
Server environment details (operating system, web server type)
Number of active subscriptions (as a count, not individual details)

Telemetry data is anonymous and cannot be linked back to individual users or their customers. No customer names, email addresses, financial data, or transaction details are ever included.

You can disable telemetry at any time from the plugin settings page. Disabling it takes effect immediately, and no further data is collected. Previously collected telemetry data is aggregated and anonymized within 90 days.

International data transfers

Some of our service providers are based outside the European Economic Area (EEA). When personal data is transferred to countries that do not have an EU adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure your data receives an equivalent level of protection.

Specifically, our transfers to Stripe (United States) and Freemius (United States and Israel) are covered by SCCs. You can request a copy of the relevant clauses by contacting us at info@profinto.com.

How we protect your data

We take reasonable technical and organizational measures to protect your personal data against unauthorized access, loss, or misuse. These include:

Encryption in transit: All connections to our website and services use SSL/TLS encryption.
Encrypted storage: Sensitive data is encrypted at rest on our servers.
Access controls: Only authorized team members can access personal data, and access is limited to what is necessary for their role.
Regular backups: Automated backups protect against data loss.
Software updates: We regularly update our server software, WordPress installation, and dependencies to address known vulnerabilities.

No system is completely secure. If you believe your data has been compromised, please contact us immediately at info@profinto.com.

Cookies

Our website uses cookies and similar technologies. For detailed information about which cookies we use, their purpose, and how to manage them, please see our Cookie Policy.

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by posting a prominent notice on our website or, where appropriate, by sending you an email.

We encourage you to review this page periodically. The “Last updated” date at the top of this policy shows when it was most recently revised.

Complaints and supervisory authority

If you believe we are not handling your personal data correctly, we would like the chance to address your concerns first. Please contact us at info@profinto.com.

You also have the right to lodge a complaint with a data protection supervisory authority. For the Netherlands, this is:

Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30
2594 AV Den Haag
Netherlands
Website: autoriteitpersoonsgegevens.nl

If you are located in another EU/EEA country, you may also contact your local data protection authority.

Contact us

If you have any questions about this privacy policy or how we handle your personal data, you can reach us at:

ProductTickler B.V. (trading as Profinto)
Meerwijkselaan 5
6571 CM Berg en Dal
Netherlands
Email: info@profinto.com
Phone: [PHONE_NUMBER]