1. Introduction and Scope

Getretrograd, Inc. ("Getretrograd," "we," "us," or "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy explains how we collect, use, disclose, store, and protect information about you when you visit our website at getretrograd.com, use our AI-powered data analytics platform, or interact with us in any other way.

This Privacy Policy applies to all individuals who access or use our services, including visitors to our website, registered account holders, trial users, paying customers, and business contacts. It covers personal data processed in the context of providing our software-as-a-service (SaaS) analytics platform and associated support, marketing, and operational activities.

Getretrograd is incorporated in the State of Delaware and headquartered at 548 Market Street, Suite 2800, San Francisco, CA 94104, United States. We are the data controller for personal data collected through our website and in connection with our direct business relationships with customers and prospects.

We are committed to compliance with applicable privacy laws including the General Data Protection Regulation (GDPR) for users in the European Economic Area and United Kingdom, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) for California residents, and other applicable state and international privacy regulations.

2. Information We Collect

We collect several categories of personal data, depending on how you interact with us:

2.1 Information You Provide Directly

  • Account Registration Data: When you create an account, we collect your full name, business email address, company name, job title, phone number, and a password (stored in hashed form).
  • Billing and Payment Information: When you subscribe to a paid plan, we collect your billing name, billing address, and payment method details. Payment card data is processed by our PCI-DSS-compliant payment processor (Stripe, Inc.) and we do not store raw card numbers on our systems.
  • Profile and Preferences: Information you add to your profile, including profile photos, notification preferences, language and timezone settings, and team configuration details.
  • Communications: When you contact our support team, submit a form on our website, participate in surveys, or correspond with us by email, we collect the content of those communications and any contact information you provide.
  • Uploaded Data and Content: As part of using our analytics platform, you may upload datasets, connect data sources, and create reports. Such customer data is processed on your behalf and is governed by our Data Processing Agreement with you.

2.2 Information Collected Automatically

  • Log Data: Our servers automatically record information about your interactions, including IP address, browser type and version, operating system, referring URLs, pages viewed, date and time of access, and error logs.
  • Usage Data: We collect data about how you use our platform, including features accessed, queries executed, dashboards created, frequency and duration of sessions, and workflow patterns. This information helps us improve our product and provide support.
  • Device Information: Information about the device you use to access our services, including device identifiers, screen resolution, and hardware configuration.
  • Cookies and Similar Technologies: We use cookies, web beacons, pixels, and local storage to collect information about your browsing behavior and preferences. Please refer to our Cookie Policy for full details.
  • Analytics Data: We use analytics tools to aggregate and analyze usage patterns across our user base. See Section 8 for information about our analytics providers.

2.3 Information from Third Parties

  • Single Sign-On (SSO) Providers: If you choose to log in using Google Workspace, Microsoft Azure AD, Okta, or another SSO provider, we receive your name, email address, and authentication token from that provider.
  • Data Integrations: When you connect third-party data sources (such as databases, CRMs, or cloud storage) to our platform, we access only the data necessary to perform the requested analytics functions, as authorized by you.
  • Business Contact Data: We may receive your contact information from lead generation partners, conference lists, or publicly available professional directories for marketing outreach. You may opt out of such communications at any time.
  • Payment Processors: We receive confirmation and transaction reference data from Stripe when you make payments.

3. How We Use Your Information

We process your personal data for the following purposes and under the following legal bases:

3.1 Providing and Improving Our Services

  • Creating and managing your account and authenticating your identity (Legal basis: Contract performance)
  • Delivering the Getretrograd analytics platform and all subscribed features (Legal basis: Contract performance)
  • Processing your payments and managing your subscription (Legal basis: Contract performance)
  • Providing technical support and responding to customer inquiries (Legal basis: Contract performance; Legitimate interests)
  • Diagnosing technical problems, troubleshooting errors, and ensuring platform stability (Legal basis: Legitimate interests)
  • Conducting product research and user experience studies to improve our services (Legal basis: Legitimate interests; Consent where required)
  • Developing new features, products, and capabilities (Legal basis: Legitimate interests)

3.2 Security and Compliance

  • Detecting, investigating, and preventing fraudulent transactions, unauthorized access, and other security incidents (Legal basis: Legitimate interests; Legal obligations)
  • Enforcing our Terms of Service and Acceptable Use Policy (Legal basis: Legitimate interests; Contract)
  • Complying with applicable laws, regulations, court orders, and lawful requests from government authorities (Legal basis: Legal obligation)
  • Maintaining audit logs and compliance records as required by law or contract (Legal basis: Legal obligation; Legitimate interests)

3.3 Communications and Marketing

  • Sending transactional messages such as account verification, password resets, invoices, and service notifications (Legal basis: Contract performance; Legitimate interests)
  • Sending product updates, feature announcements, and important service notices (Legal basis: Legitimate interests; Consent)
  • Sending marketing communications about our products, industry insights, and events to prospects and customers who have opted in (Legal basis: Consent; Legitimate interests for existing customers)
  • Conducting customer satisfaction surveys and net promoter score (NPS) research (Legal basis: Legitimate interests)

3.4 Analytics and Business Intelligence

  • Analyzing aggregate usage trends to understand how our product is used across our customer base (Legal basis: Legitimate interests)
  • Generating anonymized or pseudonymized benchmarking and industry reports (Legal basis: Legitimate interests)
  • Business planning, forecasting, and reporting (Legal basis: Legitimate interests)

4. Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

  • Account Data: Retained for the duration of your account relationship with us, plus an additional 3 years after account closure for audit and legal purposes, unless a longer retention period is required by law.
  • Customer Content and Uploaded Data: Retained for the duration of your subscription. Upon termination or expiry of your subscription, we will retain your data for 60 days to allow you to export it. After that period, customer content is deleted from production systems within 30 days and from backup systems within 90 days.
  • Billing Records: Retained for 7 years in accordance with U.S. and international financial record-keeping requirements.
  • Server Logs: Retained for 90 days in production and up to 1 year in archival storage for security and forensic purposes.
  • Support Communications: Retained for 3 years from the date of the last interaction.
  • Marketing Data: Retained until you opt out of communications or request deletion. Email engagement data (opens, clicks) is retained for 2 years.
  • Cookie and Tracking Data: See our Cookie Policy for specific retention periods per cookie type.

When data is no longer required for any of the above purposes, we securely delete or anonymize it in accordance with our data destruction procedures.

5. Data Sharing and Disclosure

We do not sell your personal data to third parties. We share personal data only in the following circumstances:

5.1 Service Providers and Sub-processors

We engage trusted third-party service providers to operate and improve our business. These sub-processors are contractually required to protect your data and may only process it for the specific purposes we authorize. Our key sub-processors include:

  • Amazon Web Services (AWS): Cloud infrastructure and data storage (United States and EU regions)
  • Stripe, Inc.: Payment processing and subscription management
  • Intercom, Inc.: Customer support and in-app messaging
  • SendGrid (Twilio): Transactional email delivery
  • HubSpot, Inc.: CRM, marketing automation, and analytics
  • Google Analytics (Google LLC): Website analytics
  • Datadog, Inc.: Application performance monitoring and logging
  • Snowflake Inc.: Data warehouse infrastructure for platform services

A complete and current list of our sub-processors is available upon request at privacy@getretrograd.com.

5.2 Business Transfers

If Getretrograd is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of its assets, your personal data may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

5.3 Legal Requirements and Safety

We may disclose your personal data if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation, court order, or government request; (b) protect the rights, property, or safety of Getretrograd, our users, or others; (c) detect, prevent, or address fraud, security, or technical issues; or (d) enforce our Terms of Service.

5.4 With Your Consent

We may share your personal data with other third parties when you have given us your explicit consent to do so, such as when you authorize a third-party integration through our platform marketplace.

6. International Data Transfers

Getretrograd is headquartered in the United States and our primary infrastructure operates there. If you access our services from outside the United States — including from the European Economic Area (EEA), United Kingdom, or Switzerland — your personal data will be transferred to and processed in the United States and potentially other countries where our sub-processors operate.

For transfers of personal data from the EEA, United Kingdom, or Switzerland to countries that are not recognized as providing an adequate level of data protection, we rely on approved transfer mechanisms including:

  • Standard Contractual Clauses (SCCs): We incorporate the EU Standard Contractual Clauses adopted by the European Commission into our Data Processing Agreements with customers and into our agreements with sub-processors.
  • UK International Data Transfer Agreements (IDTAs): For transfers to and from the United Kingdom following Brexit, we use the ICO-approved IDTA framework.
  • Data Processing Agreements: We maintain comprehensive DPAs with all sub-processors that include appropriate safeguards for international transfers.

You may request a copy of the Standard Contractual Clauses we use by contacting us at privacy@getretrograd.com.

7. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data. We honor these rights for all users globally to the extent technically and legally feasible.

7.1 Rights Under GDPR (EEA, UK, Switzerland)

  • Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
  • Right to Rectification (Article 16): You have the right to request that we correct inaccurate or incomplete personal data about you.
  • Right to Erasure / Right to be Forgotten (Article 17): You have the right to request that we delete your personal data under certain circumstances, including when the data is no longer necessary for the purpose it was collected, when you withdraw consent, or when you object to processing.
  • Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as while we verify the accuracy of data you have contested.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to Object (Article 21): You have the right to object to processing of your personal data where we rely on legitimate interests as our legal basis, including for direct marketing purposes.
  • Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, unless such processing is necessary for a contract or you have provided consent.
  • Right to Withdraw Consent: Where we rely on consent as our legal basis, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

7.2 Rights Under CCPA/CPRA (California Residents)

  • Right to Know: You have the right to know what personal information we collect, use, disclose, and sell, including the specific pieces of personal information we have collected about you in the past 12 months.
  • Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions.
  • Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.
  • Right to Opt-Out of Sale/Sharing: We do not sell personal information. However, if you believe your data is being shared in a way that constitutes a "sale" under CCPA, you may exercise your opt-out right by contacting us.
  • Right to Limit Use of Sensitive Personal Information: You have the right to limit our use of sensitive personal information to purposes necessary to provide the requested services.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights. We will not deny you goods or services, charge you different prices, provide a different quality of service, or suggest you will receive a different quality or price for exercising your rights under the CCPA.

7.3 How to Exercise Your Rights

To exercise any of your privacy rights, please contact us using one of the following methods:

  • Email: privacy@getretrograd.com
  • In-App: Navigate to Account Settings > Privacy & Data to access self-service tools for data export and deletion requests.
  • Mail: Getretrograd, Inc., Attn: Data Protection Officer, 548 Market Street, Suite 2800, San Francisco, CA 94104

We will respond to your request within 30 days for GDPR requests and within 45 days for CCPA requests (with a possible 45-day extension where reasonably necessary). We may require you to verify your identity before processing your request. We will not charge a fee for processing a reasonable rights request unless it is manifestly unfounded, excessive, or repetitive.

If you are an EEA resident and you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/board/members_en.

8. Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar tracking technologies on our website and platform to enhance functionality, analyze usage patterns, and provide relevant content and advertising. For detailed information about the specific cookies we use, their purposes, duration, and how to manage your preferences, please refer to our Cookie Policy.

You can control cookie settings through your browser settings or through our Cookie Preference Center accessible via the cookie banner on our website. Please note that disabling certain cookies may impact the functionality of our services.

9. Data Security

Getretrograd takes the security of your personal data seriously. We implement a comprehensive set of technical, administrative, and physical safeguards designed to protect your data from unauthorized access, disclosure, alteration, and destruction:

  • Encryption in Transit: All data transmitted between your browser or application and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all our domains and services.
  • Encryption at Rest: All data stored in our databases, data warehouses, and file storage systems is encrypted at rest using AES-256 encryption.
  • Access Controls: We enforce the principle of least privilege for all internal access to production systems and customer data. Role-based access control (RBAC) limits data access to personnel who need it to perform their job functions.
  • Multi-Factor Authentication: All Getretrograd employees and contractors with access to production systems are required to use multi-factor authentication (MFA).
  • Security Monitoring: We operate 24/7 security monitoring, intrusion detection systems, and automated alerting to detect and respond to potential security incidents.
  • Vulnerability Management: We conduct regular penetration testing, vulnerability scanning, and security code reviews. We operate a responsible disclosure program for security researchers.
  • SOC 2 Type II: Getretrograd maintains SOC 2 Type II certification, which is independently audited annually to verify our security, availability, and confidentiality controls.
  • Employee Training: All employees receive mandatory security awareness training upon hire and annually thereafter.

Despite our best efforts, no security measures are perfect or impenetrable. In the event of a data breach that affects your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by applicable law, within 72 hours of becoming aware of the breach where required under GDPR.

10. Children's Privacy

Getretrograd's services are designed for businesses and professionals. Our platform is not directed to, nor do we knowingly collect personal data from, children under the age of 16 (or the applicable age of digital consent in your jurisdiction). If you are under 16 years of age, please do not use our services or provide any personal data to us.

If we become aware that we have collected personal data from a child under the applicable age limit without verifiable parental consent, we will take immediate steps to delete that information from our systems. If you believe we may have inadvertently collected personal data from a child, please contact us immediately at privacy@getretrograd.com.

11. Data Processing on Behalf of Customers

When you use the Getretrograd platform to process data about your own customers, employees, or other individuals, Getretrograd acts as a data processor (or service provider under CCPA) and processes such data only on your instructions as documented in our Data Processing Agreement (DPA). You, as the customer, are the data controller responsible for ensuring you have an appropriate legal basis for processing that data and for fulfilling data subject rights requests relating to that data.

Our standard DPA is incorporated into our Terms of Service for all subscribers. Enterprise customers may request a customized DPA that includes specific provisions for their regulatory requirements. Contact legal@getretrograd.com to request a DPA.

12. Third-Party Links and Services

Our website and platform may contain links to third-party websites, applications, and services that are not operated by Getretrograd. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through links on our website or platform. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

13. Do Not Track Signals

Some web browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want your online browsing activity to be tracked. Our website does not currently respond to DNT signals because there is no industry standard for how to interpret them. However, you can use the cookie controls described in our Cookie Policy to manage tracking on our site.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last updated" date at the top of this policy
  • Send you an email notification to the address associated with your account
  • Display a prominent notice on our website or within the platform
  • For significant changes affecting how we use your data, seek your renewed consent where required by law

Your continued use of our services after the effective date of the updated policy constitutes your acceptance of the changes. We encourage you to review this policy periodically to stay informed about how we protect your information.

15. Contact Us and Data Protection Officer

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

  • Email: privacy@getretrograd.com
  • Data Protection Officer: dpo@getretrograd.com
  • Mailing Address:
    Getretrograd, Inc.
    Attn: Privacy / Data Protection Officer
    548 Market Street, Suite 2800
    San Francisco, CA 94104
    United States

For users in the European Economic Area, our EU Representative for GDPR purposes can be reached at: eu-rep@getretrograd.com.

We are committed to working with you to resolve any privacy concerns you may have. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

16. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of California, United States, without regard to its conflict of law provisions. Notwithstanding the foregoing, the privacy rights of individuals in the European Economic Area, United Kingdom, and other jurisdictions are governed by their respective applicable laws including the GDPR and UK GDPR, as applicable.