Privacy Policy
Effective date: January 1, 2026
Northwind Labs ("Northwind", "we", "us") provides a collaborative workspace product at northwindlabs.example. This policy explains what personal data we collect, why we collect it, how we share it, and the rights you have over it.
1. Who this policy covers
This policy applies to everyone who visits northwindlabs.example, creates a Northwind account, or otherwise interacts with our services. It does not cover personal data we process on behalf of a customer (for example, content uploaded into a customer's workspace) — for that, the customer is the data controller and their own privacy policy governs.
2. Information we collect
Information you provide directly
When you create an account, we collect your name, email address, and a password (which we store as a salted hash, never in plaintext). If you join a team, we record which teams you belong to and your role within each. When you communicate with our support team, we keep a copy of your messages and any context you provide.
Information collected automatically
When you use Northwind, we collect:
- Account activity — when you log in, which workspaces you visit, which features you use.
- Device and connection information — browser type, operating system, IP address, approximate location derived from IP (city-level).
- Error reports — when something breaks, we collect the stack trace and the URL you were on so we can fix it.
Information from third parties
When you pay for Northwind through Stripe, we receive your name, email address, billing country, and the last four digits of your payment card. We do not receive or store full card numbers.
3. How we use information
We use the information above to:
- Operate the service: authenticate you, route your requests, send transactional emails (sign-up confirmation, password resets, billing receipts).
- Provide support: respond to your messages, troubleshoot bugs.
- Improve the product: understand which features are used and which aren't, prioritize what to build next.
- Detect and prevent abuse, fraud, and security incidents.
- Send service announcements and (with separate consent) product news.
We rely on the following GDPR legal bases:
- Contract — for everything required to deliver the service you signed up for.
- Legitimate interests — for security, fraud prevention, and product analytics conducted in privacy-preserving ways.
- Consent — for marketing communications and any non-essential cookies.
- Legal obligation — for tax and accounting records.
4. Sub-processors
We share data with the following sub-processors, each of which has signed our standard data-processing agreement and is bound by GDPR-compliant contractual clauses:
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Application hosting, database, file storage | US (us-east-1), EU (eu-west-1) |
| Stripe | Payment processing | US, EU |
| PostHog | Product analytics | US or EU (per customer region) |
| Intercom | Customer support inbox | US |
| Sentry | Error tracking | US, EU |
| Resend | Transactional email delivery | US |
A current sub-processor list is maintained at northwindlabs.example/legal/sub-processors and is updated at least 30 days before adding a new sub-processor; you may object to a new sub-processor by writing to [email protected].
5. International transfers
For customers in the European Economic Area, United Kingdom, or Switzerland, we transfer personal data to the United States under the EU Standard Contractual Clauses (the 2021 modules) and, where applicable, the UK International Data Transfer Addendum. We have completed a transfer impact assessment which is available on request.
6. Retention
We keep personal data only as long as needed:
- Account data — for the life of your account, then 30 days after deletion (to allow recovery from accidental deletion).
- Project content — for the life of your subscription. On cancellation, exported on request and then deleted within 90 days.
- Logs and error reports — 90 days, then aggregated or deleted.
- Billing records — 7 years (US/EU tax retention rules).
- Support transcripts — 3 years from the last message in the conversation.
7. Your rights
You have the right to access, correct, port, restrict, or delete your personal data, and to object to processing based on legitimate interests. You can exercise most of these directly from your account settings; for the rest, write to [email protected].
For California residents (CCPA / CPRA): you have the right to know what we collect and share, to delete your data, to correct inaccurate information, and to opt out of the "sale" or "sharing" of personal information. We do not sell personal information, and we do not use it for cross-context behavioral advertising. We retain personal information only for the time periods listed above.
For UK residents: you may lodge a complaint with the Information Commissioner's Office (ico.org.uk).
For Canadian residents: you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca).
8. Security
We protect your data with encryption in transit (TLS 1.3) and at rest (AES-256), with role-based access controls, with regular penetration testing, and with an incident-response process that includes 72-hour notification of any breach affecting personal data.
9. Children
Northwind is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, contact us and we will delete it.
10. Changes
We will notify you of material changes by email and by a banner inside the product at least 30 days before the change takes effect. Continued use of the service after that date constitutes acceptance.
11. Contact
Data protection officer: [email protected] Mailing address: Northwind Labs, Inc., 1234 Market Street, Suite 500, San Francisco, CA 94103, USA.
For EU/UK customers, our EU representative is [Representative Name] at [Representative Address], appointed under GDPR Art. 27.