policystamp.com
Home / Examples / B2B SaaS startup
B2B SaaS startup · anonymized example

Northwind Labs

Northwind Labs sells a collaborative workspace product to small and mid-sized teams across North America and Europe. The business profile is the canonical SaaS startup: Stripe for billing, PostHog for product analytics, Intercom for support, Sentry for error tracking. Customers sign up directly online; there is no salesperson. Data sensitivity is normal — names, work emails, project content — without special categories.

Free preview · $2 Audit passed · 4 issues addressed 1280 words
Jurisdictions
USEUUKCA
Integrations
StripePostHogIntercomSentryAWSResend
Distinctive in this archetype
  • · Sub-processor list with each vendor named
  • · CCPA + GDPR rights presented side-by-side
  • · Data-processing agreement reference for EU customers
  • · Account-deletion workflow disclosed
Start with this profile

Loads the wizard with the business name pre-filled.

Documents in this archetype

Privacy Policy

Effective date: January 1, 2026

Northwind Labs ("Northwind", "we", "us") provides a collaborative workspace product at northwindlabs.example. This policy explains what personal data we collect, why we collect it, how we share it, and the rights you have over it.

1. Who this policy covers

This policy applies to everyone who visits northwindlabs.example, creates a Northwind account, or otherwise interacts with our services. It does not cover personal data we process on behalf of a customer (for example, content uploaded into a customer's workspace) — for that, the customer is the data controller and their own privacy policy governs.

2. Information we collect

Information you provide directly

When you create an account, we collect your name, email address, and a password (which we store as a salted hash, never in plaintext). If you join a team, we record which teams you belong to and your role within each. When you communicate with our support team, we keep a copy of your messages and any context you provide.

Information collected automatically

When you use Northwind, we collect:

  • Account activity — when you log in, which workspaces you visit, which features you use.
  • Device and connection information — browser type, operating system, IP address, approximate location derived from IP (city-level).
  • Error reports — when something breaks, we collect the stack trace and the URL you were on so we can fix it.

Information from third parties

When you pay for Northwind through Stripe, we receive your name, email address, billing country, and the last four digits of your payment card. We do not receive or store full card numbers.

3. How we use information

We use the information above to:

  • Operate the service: authenticate you, route your requests, send transactional emails (sign-up confirmation, password resets, billing receipts).
  • Provide support: respond to your messages, troubleshoot bugs.
  • Improve the product: understand which features are used and which aren't, prioritize what to build next.
  • Detect and prevent abuse, fraud, and security incidents.
  • Send service announcements and (with separate consent) product news.

We rely on the following GDPR legal bases:

  • Contract — for everything required to deliver the service you signed up for.
  • Legitimate interests — for security, fraud prevention, and product analytics conducted in privacy-preserving ways.
  • Consent — for marketing communications and any non-essential cookies.
  • Legal obligation — for tax and accounting records.

4. Sub-processors

We share data with the following sub-processors, each of which has signed our standard data-processing agreement and is bound by GDPR-compliant contractual clauses:

Sub-processor Purpose Region
Amazon Web Services Application hosting, database, file storage US (us-east-1), EU (eu-west-1)
Stripe Payment processing US, EU
PostHog Product analytics US or EU (per customer region)
Intercom Customer support inbox US
Sentry Error tracking US, EU
Resend Transactional email delivery US

A current sub-processor list is maintained at northwindlabs.example/legal/sub-processors and is updated at least 30 days before adding a new sub-processor; you may object to a new sub-processor by writing to privacy@northwindlabs.example.

5. International transfers

For customers in the European Economic Area, United Kingdom, or Switzerland, we transfer personal data to the United States under the EU Standard Contractual Clauses (the 2021 modules) and, where applicable, the UK International Data Transfer Addendum. We have completed a transfer impact assessment which is available on request.

6. Retention

We keep personal data only as long as needed:

  • Account data — for the life of your account, then 30 days after deletion (to allow recovery from accidental deletion).
  • Project content — for the life of your subscription. On cancellation, exported on request and then deleted within 90 days.
  • Logs and error reports — 90 days, then aggregated or deleted.
  • Billing records — 7 years (US/EU tax retention rules).
  • Support transcripts — 3 years from the last message in the conversation.

7. Your rights

You have the right to access, correct, port, restrict, or delete your personal data, and to object to processing based on legitimate interests. You can exercise most of these directly from your account settings; for the rest, write to privacy@northwindlabs.example.

For California residents (CCPA / CPRA): you have the right to know what we collect and share, to delete your data, to correct inaccurate information, and to opt out of the "sale" or "sharing" of personal information. We do not sell personal information, and we do not use it for cross-context behavioral advertising. We retain personal information only for the time periods listed above.

For UK residents: you may lodge a complaint with the Information Commissioner's Office (ico.org.uk).

For Canadian residents: you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca).

8. Security

We protect your data with encryption in transit (TLS 1.3) and at rest (AES-256), with role-based access controls, with regular penetration testing, and with an incident-response process that includes 72-hour notification of any breach affecting personal data.

9. Children

Northwind is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected such information, contact us and we will delete it.

10. Changes

We will notify you of material changes by email and by a banner inside the product at least 30 days before the change takes effect. Continued use of the service after that date constitutes acceptance.

11. Contact

Data protection officer: privacy@northwindlabs.example Mailing address: Northwind Labs, Inc., 1234 Market Street, Suite 500, San Francisco, CA 94103, USA.

For EU/UK customers, our EU representative is [Representative Name] at [Representative Address], appointed under GDPR Art. 27.

Want one for your business?

Start with the b2b saas startup profile.

The wizard takes 2–3 minutes. Free preview shows the first three sections. Two dollars unlocks the rest.

Start a privacy policy All examples