Privacy Policy

Last updated: 11 June 2026.

Data controller

Controller: the individual behind Labeler, resident in Italy. Contact for privacy enquiries and data-subject requests: info@labeler.eu. No Data Protection Officer is appointed — the operator does not reach the thresholds of GDPR Art. 37.

Data we collect

Account data (email, optional name, profile image when you sign in with Google), uploaded files for labeling and verification (processed in-memory and never stored beyond the audit-log SHA-256 hash), feedback messages, error reports including a salted hash of your IP, and Stripe subscription metadata for paid plans.

Why we process this data

To authenticate you, provide the labeling and verification services you request, send transactional emails (magic-link sign-in, deadline reminders), bill you for paid plans via Stripe, and detect abuse or fix bugs through rate-limited error logs.

Legal basis (GDPR Art. 6)

Performance of the contract with you (Art. 6(1)(b)) for account, labeling, and billing operations; legitimate interests (Art. 6(1)(f)) for security telemetry, error tracking and fraud prevention; consent (Art. 6(1)(a)) for marketing emails and analytics cookies.

Third-party processors

Hosting and edge functions: Vercel Inc., USA (Standard Contractual Clauses + EU-US Data Privacy Framework). Database: Neon Inc., EU region. Transactional email: Resend Inc., USA (SCCs). Payments: Stripe Payments Europe Ltd, Ireland — card processing partially in the US under SCCs + DPF. Authentication: Google Ireland Ltd, Ireland (SCCs + DPF). Rate-limit cache: Upstash Inc., USA (SCCs). Uploaded files are not stored by any third-party processor — labeling runs client-side or in-memory inside the Vercel function. The current processor list and SCC versions are available on request via info@labeler.eu.

How long we keep your data

Error logs: 30 days (auto-purged). Account data: until you delete your account. Labeling audit log (LabelingEvent): retention depends on your plan — Free 90 days, Agency 1 year, Business 5 years, Enterprise for the lifetime of the account. Older events are pruned daily; everything is deleted immediately when you delete your account. Stripe data: retained per Stripe's policy for invoicing and tax obligations (typically 10 years in the EU for VAT records). Backups: encrypted, rotated weekly.

Your rights

Under the GDPR you can access (Art. 15), rectify (Art. 16), erase (Art. 17), restrict (Art. 18), port (Art. 20), and object to (Art. 21) processing of your data. Account deletion and data export are self-serve in your dashboard settings. You may also lodge a complaint with a supervisory authority. The competent authority for Labeler is the Italian Garante per la protezione dei dati personali (https://www.garante.it). Residents of other EU member states may also complain to their national authority.

Cookies and tracking

We set strictly-necessary session cookies for authentication. Analytics (Vercel Analytics, Vercel Speed Insights) only load after you accept analytics cookies in the consent banner. See the cookie banner for the full inventory.

Contact

Email info@labeler.eu for privacy enquiries, GDPR data-subject requests or any complaint. We respond within 30 days as required by GDPR Art. 12(3) and aim to reply within 7 days for routine requests.