Draft — pending legal review. These terms are not legally binding until finalized. Questions or corrections: legal@rateplane.com.
Last updated: April 24, 2026
Privacy Policy
This policy explains how Rateplane Ltd handles your personal data when you use the Rateplane service. It is written against the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you are in the EEA, an equivalent standard applies under the EU GDPR; we process personal data the same way in either case.
1. Who we are
Rateplane Ltd is the data controller for personal data processed through the Rateplane service. We are a company registered in England and Wales. Registered office details are available on Companies House.
For any question about this policy or your personal data, contact us at privacy@rateplane.com. For matters specifically concerning data-protection law, write to our Data Protection contact at dpo@rateplane.com.
2. Personal data we collect
We collect and process the following categories of personal data.
| Category | What it includes | Source |
|---|---|---|
| Account data | Name, email address, workspace name, hashed password, OAuth identifiers if you sign in via GitHub. | You, at registration and in account settings. |
| Billing data | Stripe customer ID, subscription status, plan, invoice history. We do not store card numbers. | Stripe on your behalf when you upgrade. |
| Workspace content | Saved filters, saved comparisons, price alerts, budgets, anomaly rules, team invites, annotations. | You, through normal use of the dashboard. |
| Connected-cloud data | Cloud-provider credentials (encrypted at rest), account metadata, and the billing and cost data we sync on your behalf. Typically business data, not personal data, but may include resource names that incidentally identify individuals. | You, by connecting cloud accounts. |
| Integration metadata | PagerDuty / Jira / Slack / GitHub webhook URLs, routing keys, or tokens for integrations you enable. | You, when configuring an integration. |
| Usage data | Server logs (request paths, HTTP status, timestamps, coarse user-agent), feature-usage events, error traces. | Automatically, via your browser and our servers. |
| Marketing data | Email address and preferences, only where you have opted in (e.g. product-update newsletter). | You, via a double-opt-in confirmation. |
We do not knowingly collect data from people under 16. If you believe we hold data about a child, contact us and we will delete it.
3. Why we process data, and our lawful bases
Under UK GDPR Article 6, we rely on a specific lawful basis for each processing activity. The table below lists the activities, the data involved, and the basis we rely on.
| Processing activity | Lawful basis |
|---|---|
| Creating and operating your account; providing the paid or free features of the Service. | Performance of a contract (Art. 6(1)(b)). |
| Payment processing and subscription management via Stripe. | Performance of a contract (Art. 6(1)(b)). |
| Sending transactional emails (sign-up verification, password reset, invite emails, price alerts, budget alerts, anomaly notifications). | Performance of a contract (Art. 6(1)(b)). |
| Product analytics, error monitoring, performance debugging, and aggregated-usage statistics to improve the Service. | Legitimate interests (Art. 6(1)(f)) — we have an interest in operating and improving the Service, balanced against your rights; you may object at any time. |
| Fraud prevention, abuse detection, rate-limit enforcement, and security monitoring. | Legitimate interests (Art. 6(1)(f)) and, where applicable, legal obligation (Art. 6(1)(c)). |
| Marketing emails about product updates, case studies, or new features. | Consent (Art. 6(1)(a)) — opt-in only; you may withdraw consent at any time from the unsubscribe link. |
| Complying with tax, accounting, and other legal obligations in the UK. | Legal obligation (Art. 6(1)(c)). |
4. How long we keep data (retention)
| Category | Retention |
|---|---|
| Account data | For the life of your account, plus up to 30 days after deletion for backup purging. |
| Billing records and invoices | Retained for 7 years to meet UK tax and accounting requirements (HMRC record-keeping). |
| Synced cloud-spend data | 13 months rolling by default. Enterprise customers may request a different retention window in the order form. |
| Cloud-provider credentials | For as long as the connection is active; deleted from primary storage within 7 days of disconnection. |
| Server logs (request-level) | 30 days. |
| Audit log (workspace actions) | 365 days for Pro; negotiable for Enterprise. |
| Marketing email list | Until you unsubscribe, then we retain a suppression entry (your email address) indefinitely so we don't accidentally re-email you. |
| Deleted-account remnants | Purged from primary storage within 30 days of account deletion; purged from rolling backups within 90 days. |
5. Who we share data with (sub-processors)
We share personal data with the following sub-processors, each bound by data-protection contracts:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe, Ltd | Payment processing, subscription lifecycle, invoicing. | Ireland (EEA) + onward transfers under Stripe's SCCs. |
| Resend | Transactional email delivery (verification, alerts, invites). | USA, under applicable transfer mechanism. |
| Vercel | Hosting and CDN for the web application. | USA, with EU region availability where required. |
| Sentry | Error monitoring and performance traces. | USA, under applicable transfer mechanism. |
| Upstash (optional) | Distributed rate limiting. No account data is stored. | EU region selectable. |
We do not sell personal data, do not rent it to brokers, and do not use it for advertising. Integration services that you choose to enable (PagerDuty, Jira, Slack, GitHub, OpenCost, Infracost, CloudQuery) receive only the data required to operate that integration, on your instruction; they are independent controllers or processors of that data per their own policies.
We will keep a versioned sub-processor list once it is published. Enterprise customers may subscribe to change notifications in the order form.
6. International transfers
Some of our sub-processors are located outside the UK, typically in the USA. Where we transfer personal data out of the UK, we rely on:
- the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs), or the UK International Data Transfer Agreement (IDTA); or
- an adequacy decision where one exists for the destination country (for example, the UK Extension to the EU-US Data Privacy Framework for US companies enrolled in it).
The specific transfer mechanism for each sub-processor is available on request at dpo@rateplane.com.
7. Your rights
Under UK GDPR you have the following rights in relation to your personal data:
- Access — a copy of the personal data we hold about you.
- Rectification — correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten") — deletion of your data, subject to legal retention obligations (for example, invoice records we must keep for tax purposes).
- Restriction — asking us to temporarily stop processing your data while we resolve a dispute about it.
- Objection — the right to object to processing based on legitimate interests, including direct marketing.
- Portability — a machine-readable export of the data you gave us.
- Withdrawing consent — where processing is based on consent (e.g. marketing emails), you can withdraw at any time without affecting prior processing.
- No automated decisions — we do not make decisions about you solely by automated means that produce legal or similarly significant effects.
To exercise any right, email privacy@rateplane.com. We will respond within one month and, where necessary, extend by up to two further months for complex requests, notifying you of any extension. There is no fee except for manifestly unfounded or excessive requests.
8. Security
We apply technical and organisational measures proportionate to the risk, including TLS in transit, envelope encryption of cloud credentials at rest, role-based access controls, workspace isolation, rate limiting, and audit logging. See our Security page for a fuller description of controls.
If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
9. Cookies and similar technologies
We use only essential cookies required for authentication and a small number of first-party localStorage keys for your UI preferences (for example, dark/light theme). We do not use advertising, tracking, or analytics cookies. Full details are in our Cookie Policy.
10. Complaints
If you have a concern about how we handle your personal data, please raise it with us first at dpo@rateplane.com so we can try to resolve it quickly. You also have the right to complain to a supervisory authority. For UK users, the supervisory authority is the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
EEA users may complain to their local supervisory authority. A list is maintained by the European Data Protection Board.
11. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top of this page reflects the latest version. Where changes materially affect how your personal data is processed, we will notify registered users by email at least 30 days before the change takes effect.
12. Contact
General privacy questions: privacy@rateplane.com
Data-protection enquiries / formal requests: dpo@rateplane.com