GDPR Compliance
EULast Updated: June 4, 2026
This page explains how Incremenza handles personal data for European users and business customers under the General Data Protection Regulation (GDPR). It is written for business owners evaluating whether Incremenza is appropriate for their European operations — not as a substitute for legal advice.
For European business customers
If you are a business based in the EU or EEA and want to use Incremenza to process financial data that includes personal data of your customers or employees, this page explains the legal basis for that processing and your options.
For a formal Data Processing Agreement, see our Data Processing Addendum. To request a signed DPA for your organization, contact us at [email protected].
Our role under GDPR
Under GDPR, there are two roles: Data Controller and Data Processor. The distinction matters for how we handle your data.
When you use Incremenza for your own business
Incremenza acts as a Data Controller for your account information and usage data. We determine the purpose and means of processing your personal data.
When Incremenza processes your customers' data
Incremenza acts as a Data Processor when processing personal data about your customers (such as names and payment information imported from Stripe or QuickBooks). You remain the Data Controller.
Where your data is stored
Incremenza stores all customer data on servers located in the United States, operated by DigitalOcean. This means that personal data of European users is transferred to and processed in a country outside the European Economic Area (EEA).
For this transfer to be lawful under GDPR, we rely on Standard Contractual Clauses (SCCs) as the legal mechanism for international data transfers. These are contractual commitments approved by the European Commission that obligate us to protect your data to GDPR standards regardless of where it is processed.
If you require EU-based data storage for your organization, please contact us at [email protected] to discuss your requirements.
Legal basis for processing
We process personal data under the following legal bases:
Contract performance (Article 6(1)(b)): Processing necessary to provide the Incremenza service you have subscribed to, including account management, billing, and delivering product features.
Legitimate interests (Article 6(1)(f)): Processing for fraud prevention, security, product improvement, and analytical purposes that do not override your fundamental rights.
Legal obligation (Article 6(1)(c)): Processing required to comply with applicable laws, including financial regulations and tax requirements.
Consent (Article 6(1)(a)): For optional communications such as marketing emails, where you have given explicit consent which you may withdraw at any time.
Sub-processors
We use the following third-party sub-processors to deliver the Incremenza service. Each has been evaluated for GDPR compliance.
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| DigitalOcean | Infrastructure and data storage | United States | SCCs |
| Stripe | Payment processing and billing | United States | SCCs |
| Postmark | Billing-critical transactional email | United States | SCCs |
| Resend | Product lifecycle email | United States | SCCs |
| Google (Gemini AI) | Business advisory features (primary) | United States | SCCs |
| Google LLC | Authentication (Google SSO) | United States | SCCs + Google Workspace DPA |
| Microsoft Corporation | Authentication (Microsoft SSO) | United States | SCCs + Microsoft DPA |
| Anthropic (Claude AI) | Business advisory features (backup) | United States | SCCs |
| Sentry | Error monitoring and performance | United States | SCCs |
| Snapshooter | Database backup | United States | SCCs |
| GitHub | Source code management | United States | SCCs |
| Zapier | Customer data integrations | United States | SCCs |
We will notify you of any material changes to our sub-processor list at least 30 days in advance via email. You may object to new sub-processors by contacting us at [email protected].
Your rights under GDPR
If you are located in the EU or EEA, you have the following rights regarding your personal data:
Right of access
Request a copy of the personal data we hold about you.
Right to rectification
Request correction of inaccurate or incomplete personal data.
Right to erasure
Request deletion of your personal data in certain circumstances.
Right to restrict processing
Request that we limit how we use your personal data.
Right to data portability
Receive your personal data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests or for direct marketing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.
Data retention
We retain personal data only for as long as necessary to provide the service and comply with legal obligations:
- — Active account data: Retained for the duration of your subscription.
- — Cancelled account data: Retained for 90 days after cancellation to allow reactivation, then deleted.
- — Billing records: Retained for 7 years to comply with financial record-keeping requirements.
- — Support communications: Retained for 2 years for quality assurance and dispute resolution.
- — Product usage data (including feature interaction and recommendation records): Retained for 6 months, then automatically deleted.
Contact and Data Protection inquiries
For any GDPR-related inquiries, data subject requests, or to request a signed Data Processing Agreement for your organization:
Incremenza, Inc.
Privacy and Data Protection inquiries:
[email protected]We aim to respond to all data protection inquiries within 5 business days and to all formal data subject requests within 30 days as required by GDPR Article 12.
This page is provided for informational purposes and does not constitute legal advice. The information on this page reflects our current practices and may be updated as our product and legal obligations evolve. For binding commitments, please refer to our Data Processing Addendum and Terms of Service.