Slaeb is a European-built SaaS platform engineered from day one to meet the highest data protection standards. Whether you operate in the EU, the UK, the Caribbean, the United States or Asia, our platform helps you stay compliant and your customers’ trust intact.
Data protection is not a checkbox at Slaeb; it is a founding principle. As a European SaaS company serving SMEs across five regions, we know that the businesses we work with rely on us to handle personal data with the same care they apply to themselves.
This page is our public statement of compliance with the General Data Protection Regulation (Regulation EU 2016/679), the UK GDPR and the Data Protection Act 2018. It complements our Privacy Policy and our Data Processing Agreement.
Privacy by design and by default — Every feature we build is reviewed for data-protection impact before it ships. Personal data is collected only when needed, retained only as long as required, and protected by appropriate technical and organisational measures.
Under GDPR, every party that handles personal data is either a controller (decides why and how data is processed) or a processor (handles data on behalf of a controller). Slaeb plays both roles, depending on the context:
For data we collect directly — account holders, prospects, website visitors, billing contacts, support requesters. Our Privacy Policy applies.
For every processing activity, we identify and document a lawful basis as required by Article 6 of GDPR:
| Lawful basis | When we use it |
|---|---|
Contract (Art. 6(1)(b)) |
Delivering the platform, processing payments, providing support to subscribers |
Legal obligation (Art. 6(1)(c)) |
Keeping accounting records, responding to regulatory requests, tax compliance |
Legitimate interest (Art. 6(1)(f)) |
Improving the platform, preventing fraud, securing systems, and internal reporting |
Consent (Art. 6(1)(a)) |
Marketing emails, non-essential cookies, and optional analytics features |
For special category data (Art. 9), we rely on explicit consent or on a legal basis under employment law — for example, when HRMS processes health data for sick-leave tracking on behalf of an employer.
Every person whose data we process — whether as controller or processor — has the rights set out in Chapter III of GDPR. We have workflows in place to handle each one within the regulatory deadline of one month.
Receive a copy of all personal data we hold and information about how it's processed.
Have inaccurate data corrected without undue delay.
Have data deleted in qualifying circumstances ("right to be forgotten").
Restrict processing while a complaint is being verified.
Receive your data in a structured, commonly used, machine-readable format.
Object to processing based on legitimate interest or direct marketing.
Not be subject to decisions based solely on automated processing; request human review.
Lodge a complaint with a supervisory authority (CNIL, ICO, AP, etc.).
Where we are processor, requests should normally be addressed to the controller (your employer or the organisation that uploaded your data). We will support our customers in fulfilling them within the agreed timeframe.
If you are a customer who processes personal data through Slaeb, you need a Data Processing Agreement with us, as required by Article 28 GDPR. Our DPA is integrated automatically into our standard subscription terms and includes:
A signed copy of the DPA is available on request at info@slaeb.com. Enterprise customers can request a counter-signed version.
We use a small number of carefully vetted sub-processors to deliver Slaeb. Every one is bound by a written contract with at least the same data-protection obligations we have to you, and is regularly reviewed.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
Hostinger |
Application & database hosting |
European Union |
GDPR (EU) |
Stripe |
Payment processing |
EU / US |
SCCs + DPF |
OpenAI / Anthropic |
AI feature processing |
EU / US |
SCCs + Zero Data Retention |
Privacy-friendly analytics |
Aggregated usage metrics |
EU |
GDPR (EU) |
We notify customers of any new sub-processor at least 30 days in advance, giving them an opportunity to object on reasonable grounds.allowing them
We apply the principle of storage limitation — personal data is kept only as long as it is needed, then anonymised or deleted.
| Category | Retention period | Reason |
|---|---|---|
Active customer data |
Duration of the contract |
Contract performance |
Account data after termination |
30 days |
Recovery period, then deletion |
Invoices and financial records |
10 years (FR) / 6 years (UK) |
Legal obligation |
Support tickets |
3 years |
Quality & training |
Server access logs |
90 days |
Security & abuse detection |
Backups |
30 days (rolling) |
Business continuity |
Marketing consent records |
Until withdrawn + 3 years |
Proof of consent |
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk:
We minimise transfers outside the EU/EEA wherever possible. When transfers are necessary, we use one of these safeguards as required by Chapter V of GDPR:
If a personal data breach occurs, we follow a strict notification protocol:
While GDPR only requires the formal appointment of a DPO in specific cases, Slaeb maintains a dedicated Data Protection Officer as a sign of our commitment. Our DPO is independent, reports directly to senior management, and is your point of contact for any privacy question.
Yes. Slaeb is built on GDPR principles, privacy by design and by default, lawful processing, data minimisation, security, and accountability. We maintain records of processing activities, conduct data protection impact assessments where required, and have a dedicated DPO.
Yes. Our DPA is included automatically in our subscription terms for every paid customer. A separately signed version is available on request at info@slaeb.com.
Primary application data is hosted on European infrastructure (Hostinger EU data centres). Certain sub-processors (Stripe, Twilio, AI providers) may process data in the US under appropriate safeguards — Standard Contractual Clauses and where applicable the EU-US Data Privacy Framework.
If you are an account holder, email info@slaeb.com. If your data is in Slaeb because your employer or another organisation uses our platform, please contact them first — they are the controller and we will support them in fulfilling your request.
Yes. Account holders can request deletion at any time. We will delete or anonymise your data within 30 days, except where retention is legally required (e.g. invoicing). Backups are purged on their 30-day rolling cycle.
AI features that process personal data run on providers contractually committed to zero data retention and no training on customer data. We disclose AI processing in our Privacy Policy and offer non-AI alternatives where feasible. See our Responsible AI Policy for full detail.
As a company established in the EU (Slaeb), we do not require an Article 27 representative. Our registered office serves as our establishment in the EU.
Any successor entity would be bound by the commitments in our Privacy Policy and DPA. We would notify customers in advance and give them the opportunity to export their data and cancel before the transfer takes effect.
For any GDPR-related question, formal request or complaint.
