Informativa Privacy
legal.privacy.effectiveDate
1. Data Controller
Toolbox Lab is a sole proprietorship (eenmanszaak) registered in the Netherlands.
- Trade name: Toolbox Lab
- KvK: 95851488
- BTW: NL005176150B40
- Email: [email protected]
2. What Data We Collect
All tools on Toolbox Lab run entirely in your browser. We do not upload, store, or process any files or content you create with our tools on our servers.
2.1 Pro Subscription (via Stripe)
If you purchase a Pro subscription, Stripe Inc. collects your email address and payment details. We store your email address and a pseudonymous customer identifier on our servers to provide account management and service communications (e.g. important service updates or security notices). We never see or store your full payment details — Stripe retains those as our payment processor. This data is processed on the legal basis of contract performance (Art. 6(1)(b) GDPR). You can see your stored email on the Pro Account page.
2.2 Analytics (Vercel)
We use Vercel Analytics to understand how visitors use our site. Vercel Analytics is privacy-friendly and does not use cookies. It collects anonymized page-view data (no personal identifiers). This data is processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in improving our service.
2.3 Advertising (Google AdSense)
Free users may see ads served by Google AdSense. Google may place cookies on your device to show personalized ads. These cookies are only loaded after you give consent via our cookie banner (Art. 6(1)(a) GDPR). You can withdraw consent at any time through the “Cookie Settings” link in the footer.
2.4 Cloud Backup (Pro)
If you have an active Pro subscription, your tool data (business profile, saved clients, invoice history, invoice templates, invoice settings, saved regex patterns, saved cron expressions, favorite business names, favorite tools, and tool usage history) is automatically backed up to our cloud infrastructure (Upstash Redis). This data is encrypted in transit (TLS) and associated with your Stripe customer ID — not your name or email address.
Cloud backup is processed on the legal basis of contract performance (Art. 6(1)(b) GDPR) as part of the Pro subscription service. You can export all your data at any time from the Pro Account page.
3. Cookies
| Category | Cookie | Purpose | Consent |
|---|---|---|---|
| Necessary | toolbox_pro | Verifies your Pro subscription status | Not required |
| Necessary | cookie_consent | Stores your cookie preferences | Not required |
| Advertising | Google AdSense cookies | Personalized advertisements | Required |
4. Third-Party Processors
- Stripe Inc. (USA) — payment processing. Privacy policy: stripe.com/privacy
- Google LLC (USA) — advertising (AdSense). Privacy policy: policies.google.com/privacy
- Vercel Inc. (USA) — hosting and analytics. Privacy policy: vercel.com/legal/privacy-policy
- Upstash Inc. (USA) — Redis cache for Pro status verification and cloud backup data storage (Pro subscribers only). Privacy policy: upstash.com/trust/privacy
Transfers to the USA are covered by these providers’ EU Standard Contractual Clauses and/or EU-U.S. Data Privacy Framework certifications.
5. Data Retention
- Stripe data: retained for the duration of your subscription plus the legally required retention period for financial records (7 years under Dutch law).
- Email address: stored for the duration of your Pro subscription. Deleted when your subscription ends, unless you have opted in to service communications.
- Pro session cookie: expires when the subscription ends or is revoked.
- Cloud backup data: stored for the duration of your Pro subscription. After cancellation, your cloud data is retained for 90 days to allow recovery. After 90 days, it is automatically and permanently deleted. You can download your data at any time during this period from the Pro Account page.
- Cookie consent preference: stored in your browser until you clear your data or change your preference.
6. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (“right to be forgotten”, Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
7. Complaints
If you believe we are not handling your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.