Privacy Policy

Capritora SRL operates the Redate.io platform. This Privacy Policy explains how Redate collects, uses, stores, and protects your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Belgian Law of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and other applicable data protection legislation. This Privacy Policy applies to all users of the Redate.io platform, including website visitors, registered users, and B2B customers. Given the nature of email data processing performed by the Service, Capritora SRL has conducted a Data Protection Impact Assessment (DPIA) in accordance with GDPR Article 35 to identify and mitigate risks associated with the processing of personal data contained in email communications.

The data controller responsible for the processing of your personal data is: Capritora SRL 488 Chaussee de Louvain 1380 Ohain, Belgium Enterprise number: BE0786931405 Email: hello@redate.io As a small and medium-sized enterprise, Capritora SRL is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. For any data protection inquiries, contact Redate at hello@redate.io.

Redate collects and processes the following categories of personal data, limited to what is strictly necessary for service delivery (data minimization principle, GDPR Article 5(1)(c)): Account data: email address (required for authentication and communication), full name (required for invoicing), company name (optional, for B2B invoicing), country (required for tax calculation), VAT number (optional, for reverse charge eligibility), password (stored as a bcrypt hash, never in plain text). Connection data: email provider type (Google Workspace, Microsoft 365, or IMAP), domain name, connection status, admin email (for Google Workspace), tenant ID (for Microsoft 365). Mailbox metadata: mailbox email address, total email count, number of affected emails, scan results, fix progress and status, timestamps. Payment data: processed entirely by Stripe. Redate stores only order references, invoice links, and payment status. Credit card numbers are never stored by Redate. Usage data: IP address (for security and abuse prevention), browser type and version, pages visited, timestamps of access. Referral data: referral code used (if applicable), click tracking (anonymized, no personal identifiers).

Redate processes your personal data for the following specific purposes: - Service delivery: providing the email date scanning and correction service, including mailbox connection, scanning, fixing, and reporting. - Payment processing: processing payments, generating invoices, managing refunds, and maintaining financial records. - Transactional communications: sending account verification emails, password reset links, fix completion notifications, and service-related announcements. - Partner and affiliate management: managing partner and affiliate program registrations, tracking referrals, and processing commissions. - Security and abuse prevention: detecting and preventing unauthorized access, fraud, and service abuse; monitoring for security incidents. - Legal compliance: fulfilling obligations under Belgian and EU law, including accounting, tax reporting, and responding to lawful requests from authorities. - Service improvement: analyzing aggregated, anonymized usage patterns to improve the Service (no individual profiling is performed).

In accordance with GDPR Article 6(1), Redate processes your personal data on the following legal bases: Consent (Article 6(1)(a)): Your explicit consent is obtained when you authorize Redate to access your email mailbox. You may withdraw this consent at any time by revoking access through your email provider's admin console. Contractual necessity (Article 6(1)(b)): Processing of account data, connection data, mailbox metadata, and payment data is necessary for the performance of the contract between you and Redate (i.e., providing the Service you requested). Legitimate interest (Article 6(1)(f)): Processing of usage data (IP address, browser information) is based on Redate's legitimate interest in ensuring the security of the Service, preventing fraud, and improving service quality. Redate has balanced this interest against your rights and freedoms and concluded that the processing is proportionate and does not override your interests. Legal obligation (Article 6(1)(c)): Retention of payment records for 10 years is required by Belgian accounting law (Code des societes et des associations). Incident reporting obligations arise under the NIS2 Directive.

This section describes how Redate handles the content of your emails, which may contain personal data of third parties. Redate never permanently stores the content of your emails. The processing is strictly transient: 1. Each email is downloaded from your mailbox. 2. The email is processed in server memory to correct the corrupted date headers. 3. The corrected email is placed back into your mailbox with the original date restored. 4. The email content is immediately discarded from Redate's systems. This entire process takes seconds per email. At no point is email content written to persistent storage (disk, database, or backup). Only metadata (email counts, fix status, timestamps) is retained for service delivery and support. For B2B customers who use Redate to process mailboxes belonging to their employees or end users, a separate Data Processing Agreement (DPA) is available to formalize the relationship under GDPR Article 28.

Redate retains personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the storage limitation principle (GDPR Article 5(1)(e)): Account data: retained until you delete your account. Upon account deletion, all personal data is permanently and irreversibly removed within 30 days. Mailbox metadata (scan results, fix progress, fix status): retained for 12 months after the last fix operation, then permanently deleted. This retention period allows Redate to provide support and resolve disputes. Payment records (order references, invoice links, payment amounts): retained for 10 years as required by Belgian accounting law (Article III.86 of the Belgian Code of Economic Law). Fix job logs (technical processing logs): retained for 90 days for support and debugging purposes, then anonymized (all personal identifiers removed). Email content: never stored permanently. Processed transiently in memory only, as described in Section 6.

Redate uses the following third-party sub-processors to deliver the Service. Each sub-processor is bound by a data processing agreement and processes data only for the purposes specified: Render.com (Render Services, Inc., United States) - hosting, infrastructure, and application deployment. Processes: all data stored by Redate (account data, mailbox metadata, payment references). Stripe (Stripe, Inc., United States) - payment processing and invoicing. Processes: payment card data, billing information, transaction records. Google Cloud (Google LLC, United States) - email API access for Google Workspace connections. Processes: email data (transiently, via the Gmail API). Microsoft Azure (Microsoft Corporation, United States) - email API access for Microsoft 365 connections. Processes: email data (transiently, via the Microsoft Graph API). Resend (Resend, Inc., United States) - transactional email delivery. Processes: recipient email addresses, email content for transactional messages. CookieYes (Vysion Technologies OPC Pvt. Ltd., India) - cookie consent management. Processes: consent preferences, anonymized visitor data for consent records. Google Tag Manager and Google Analytics (Google LLC, United States) - analytics and advertising measurement. Processes: anonymized usage data, conversion events (only with user consent). Redate will notify you of any changes to sub-processors that materially affect the processing of your data.

Some of Redate's sub-processors are located in the United States, which the European Commission has not recognized as providing an adequate level of data protection (prior to the EU-US Data Privacy Framework). To ensure GDPR-compliant international data transfers, Redate relies on the following safeguards: Standard Contractual Clauses (SCCs): All US-based sub-processors have entered into Standard Contractual Clauses approved by the European Commission (Commission Implementing Decision (EU) 2021/914), which provide appropriate safeguards for the transfer of personal data. EU-US Data Privacy Framework: Where applicable, sub-processors that are certified under the EU-US Data Privacy Framework provide an additional layer of protection. Redate has assessed the legal framework and practices in the recipient countries and concluded that, combined with the SCCs and supplementary measures implemented by each sub-processor, the transfers provide an essentially equivalent level of protection to that guaranteed within the European Economic Area. You may request a copy of the relevant SCCs by contacting Redate at hello@redate.io.

Under the GDPR, you have the following rights regarding your personal data: Right of access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the purposes, categories, recipients, and retention periods. Right to rectification (Article 16): You have the right to obtain the correction of inaccurate personal data and to have incomplete data completed. Right to erasure (Article 17): You have the right to obtain the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the data has been unlawfully processed. This right does not apply where retention is required by law (e.g., payment records). Right to restriction (Article 18): You have the right to obtain restriction of processing in certain circumstances, such as when you contest the accuracy of the data or when the processing is unlawful. Right to data portability (Article 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. Right to object (Article 21): You have the right to object to processing based on legitimate interest. Redate will cease processing unless it demonstrates compelling legitimate grounds. Right to withdraw consent (Article 7(3)): You may withdraw your consent for mailbox access at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal. To exercise any of these rights, contact Redate at hello@redate.io. Redate will respond to your request within 30 days. If your request is complex, this period may be extended by an additional 60 days, and you will be informed accordingly.

Redate implements appropriate technical and organizational measures to protect your personal data, in accordance with GDPR Article 32 and the obligations set out in the NIS2 Directive (Directive (EU) 2022/2555) as transposed into Belgian law: Encryption in transit: All communications between your browser and Redate's servers use TLS/HTTPS encryption. Encryption at rest: Credentials and OAuth tokens are encrypted using AES-256-GCM. Passwords are hashed using bcrypt with a cost factor that meets current security standards. Access control: Access to production systems is restricted to authorized personnel only and is logged for audit purposes. Data minimization: Email content is never stored persistently. Only the minimum metadata necessary for service delivery is retained. Incident management: Redate maintains incident detection and response procedures. In accordance with the NIS2 Directive, significant security incidents are reported to the Centre for Cybersecurity Belgium (CCB), the national CSIRT. Regular security reviews: Redate conducts periodic reviews of its security practices and infrastructure.

In the event of a personal data breach, Redate will comply with the notification obligations under GDPR Articles 33 and 34: Notification to supervisory authority: Redate will notify the Belgian Data Protection Authority (APD/GBA) within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons. Notification to data subjects: If the breach is likely to result in a high risk to your rights and freedoms, Redate will communicate the breach to you without undue delay, describing the nature of the breach, the likely consequences, and the measures taken to address it. In accordance with the NIS2 Directive, significant cybersecurity incidents will also be reported to the Centre for Cybersecurity Belgium (CCB).

The Service is not intended for use by individuals under the age of 18. Redate does not knowingly collect personal data from children. If Redate becomes aware that personal data has been collected from a child without appropriate parental consent, Redate will take steps to delete that data promptly. If you believe that Redate has collected personal data from a child, please contact Redate immediately at hello@redate.io.

Redate uses cookies for essential functionality, analytics, and advertising measurement. Non-essential cookies are only set after you give explicit consent through the cookie consent banner managed by CookieYes, a Google-certified Consent Management Platform. For detailed information about the cookies used by Redate, including their purpose, duration, and legal basis, please refer to the Cookie Policy available at redate.io.

Redate.io uses the following third-party services for analytics and advertising, subject to your explicit consent: Google Analytics 4 (GA4): Redate uses Google Analytics 4 via Google Tag Manager to measure website traffic and understand how visitors interact with the site. Data collected includes pages visited, session duration, browser type, device type, country, and referral source. IP addresses are anonymized. No personal data (name, email, account information) is collected by analytics. Google Analytics cookies are only set after you accept the "Analytics" category in the cookie consent banner. Google Ads conversion tracking: Redate uses Google Ads to measure the effectiveness of advertising campaigns. Conversion tracking records whether a click on a Google ad led to a specific action (such as a sign-up or purchase). No personal browsing data is shared with Redate through this process. Conversion cookies are only set after you accept the "Advertising" category in the cookie consent banner. Google Ads remarketing: Redate may use Google Ads remarketing to show relevant ads to previous visitors on the Google Display Network and Google Search. Remarketing cookies are only set after you accept the "Advertising" category in the cookie consent banner. You can opt out of personalized ads at any time via Google Ad Settings (adssettings.google.com) or via the Network Advertising Initiative opt-out page (optout.networkadvertising.org). Google Consent Mode v2: Redate.io implements Google Consent Mode v2, which ensures that all Google services (Analytics, Ads) respect your consent choices in real time. When consent is denied, no tracking cookies are set and no personal data is sent to Google. Redate does not sell, share, or transfer your personal data to third parties for their own advertising purposes.

Redate may update this Privacy Policy from time to time to reflect changes in data processing practices, legal requirements, or the Service itself. Material changes will be communicated to you by email and/or by a prominent notice on the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the Privacy Policy was last revised. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acknowledgment of the changes.

For any privacy-related questions, to exercise your data subject rights, or to file a complaint, contact Redate at: Capritora SRL 488 Chaussee de Louvain 1380 Ohain, Belgium Enterprise number: BE0786931405 Email: hello@redate.io You also have the right to lodge a complaint with the Belgian Data Protection Authority (Autorite de protection des donnees / Gegevensbeschermingsautoriteit): Rue de la Presse 35 1000 Brussels, Belgium Website: www.dataprotectionauthority.be Email: contact@apd-gba.be