Privacy Policy
Effective date: March 5, 2026
1. Data Controller
Toolbox Lab is a sole proprietorship (eenmanszaak) registered in the Netherlands.
- Trade name: Toolbox Lab
- KvK: 95851488
- BTW: NL005176150B40
- Email: [email protected]
2. What Data We Collect
All tools on Toolbox Lab run entirely in your browser. We do not upload, store, or process any files or content you create with our tools on our servers.
2.1 Pro Subscription (via Stripe)
If you purchase a Pro subscription, Stripe Inc. collects your email address and payment details. We receive your email and subscription status from Stripe but never see your full card number. This data is processed on the legal basis of contract performance (Art. 6(1)(b) GDPR).
2.2 Analytics (Vercel)
We use Vercel Analytics to understand how visitors use our site. Vercel Analytics is privacy-friendly and does not use cookies. It collects anonymized page-view data (no personal identifiers). This data is processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in improving our service.
2.3 Advertising (Google AdSense)
Free users may see ads served by Google AdSense. Google may place cookies on your device to show personalized ads. These cookies are only loaded after you give consent via our cookie banner (Art. 6(1)(a) GDPR). You can withdraw consent at any time through the “Cookie Settings” link in the footer.
3. Cookies
| Category | Cookie | Purpose | Consent |
|---|---|---|---|
| Necessary | pro_session | Verifies your Pro subscription status | Not required |
| Necessary | cookie_consent | Stores your cookie preferences | Not required |
| Advertising | Google AdSense cookies | Personalized advertisements | Required |
4. Third-Party Processors
- Stripe Inc. (USA) — payment processing. Privacy policy: stripe.com/privacy
- Google LLC (USA) — advertising (AdSense). Privacy policy: policies.google.com/privacy
- Vercel Inc. (USA) — hosting and analytics. Privacy policy: vercel.com/legal/privacy-policy
- Upstash Inc. (USA) — Redis cache for Pro status verification.
Transfers to the USA are covered by these providers’ EU Standard Contractual Clauses and/or EU-U.S. Data Privacy Framework certifications.
5. Data Retention
- Stripe data: retained for the duration of your subscription plus the legally required retention period for financial records (7 years under Dutch law).
- Pro session cookie: expires when the subscription ends or is revoked.
- Cookie consent preference: stored in your browser until you clear your data or change your preference.
6. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (“right to be forgotten”, Art. 17)
- Restrict processing (Art. 18)
- Data portability (Art. 20)
- Object to processing (Art. 21)
- Withdraw consent at any time (Art. 7(3))
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
7. Complaints
If you believe we are not handling your data correctly, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens): autoriteitpersoonsgegevens.nl.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.