1. Data Controller
Retirement Lab, based in Portugal, is the data controller for the personal data processed through this service. For data protection inquiries, contact us at: privacy@retirement-lab.com
2. Data We Collect
- Account information: email address and name provided during registration
- Simulation data: parameters you enter and results generated by the engine, stored to enable your simulation history
- Cookies: functional cookies required for authentication and session management only
- Payment information: if you subscribe to Pro, payment details are collected and processed by our payment processor — we do not store credit card numbers
3. Legal Bases for Processing
We process your personal data under the following legal bases (Article 6 GDPR):
- Contract performance: processing necessary to provide the Service (account management, simulation storage, subscription billing)
- Legitimate interest: fraud prevention and security
4. Third-Party Processors
We share personal data with the following third-party processors, each bound by data processing agreements:
- Supabase — database hosting and authentication (US-based, Standard Contractual Clauses in place)
- Vercel — application hosting and edge delivery (US-based, Standard Contractual Clauses in place)
- Payment processor — subscription billing (to be confirmed)
5. Data Retention
- Account data: retained for the duration of your account. Deleted within 30 days of account deletion request.
- Simulation data: retained for the duration of your account. You may delete individual simulations at any time.
- Payment records: retained as required by Portuguese tax law (up to 10 years for invoicing records).
6. Your Rights Under GDPR
As a data subject, you have the following rights:
- Access: request a copy of your personal data
- Rectification: correct inaccurate personal data
- Erasure: request deletion of your personal data ("right to be forgotten")
- Portability: receive your data in a structured, machine-readable format
- Restriction: request restriction of processing in certain circumstances
- Objection: object to processing based on legitimate interest
- Withdraw consent: where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at privacy@retirement-lab.com. We will respond within 30 days.
7. International Data Transfers
Some of our third-party processors are based in the United States. We ensure adequate protection for international transfers through Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with Chapter V of the GDPR.
8. Cookies
We use only essential cookies required for authentication and session management. These are strictly necessary for the Service to function and cannot be disabled. We do not use analytics, tracking, or advertising cookies.
9. Complaints
If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Portuguese Data Protection Authority (Comissão Nacional de Proteção de Dados — CNPD) at www.cnpd.pt, or with any other supervisory authority in your EU member state of residence.