Privacy Policy

Effective Date: March 28, 2026 | Last Updated: March 28, 2026

1. Introduction — Who We Are

RecoverKit ("we," "us," or "our") is a US-based software-as-a-service product that helps online businesses recover failed payments through AI-generated emails, SMS messages, and pre-dunning card expiration alerts. We integrate with Stripe to detect payment failures and communicate with your customers on your behalf.

This Privacy Policy explains how we collect, use, store, share, and protect information when you use the RecoverKit service ("Service"), visit our website at recoverkit.com ("Website"), or otherwise interact with us.

When we process personal data of your end customers on your behalf, we act as a data processor (or "service provider" under CCPA/CPRA). You (the merchant) remain the data controller (or "business" under CCPA/CPRA) for your end customers' personal data. We process that data only according to your instructions and for the purposes described in this policy and our Data Processing Agreement ("DPA").

Our mailing address is: RecoverKit, 1234 Innovation Way, Suite 100, Wilmington, DE 19801.

If you have questions or concerns about this policy, contact us at privacy@recoverkit.com.

2. Data We Collect

2.1 Merchant Account Data

When you sign up and connect your Stripe account, we collect:

Business name, email address, and Stripe account identifier
Service configuration preferences (email tone, custom instructions, branding settings)
Subscription and billing information (managed through Stripe)

2.2 End-User Data (Your Customers)

Through your Stripe account connection, we access and process the following data about your customers in order to send recovery communications:

Customer first names
Customer email addresses
Customer phone numbers (when available, for SMS recovery)
Payment failure details (failure reason codes, invoice amounts, subscription plan names)
Customer tenure and subscription metadata (used to personalize AI-generated messages)
Payment method expiration dates (for pre-dunning alerts)

We do not access or store full credit card numbers, bank account details, or any financial credentials. All payment method data is tokenized by Stripe.

2.3 Automatically Collected Data

When you visit our Website or use the Service dashboard, we may automatically collect:

IP address and approximate geographic location
Browser type, operating system, and device information
Pages visited, referring URL, and time spent on pages
Service usage data (recovery rates, dashboard interactions)

3. How We Use Data

We use the data we collect for the following purposes:

Providing the Service: Detecting failed payments, generating personalized recovery emails and SMS messages, sending pre-dunning card expiration alerts, and providing recovery analytics.
AI Content Generation: Passing limited payment context to our AI provider (Anthropic) to generate personalized recovery messages. Specifically, we share customer first names, payment amounts, subscription plan names, failure context, merchant business name, and merchant-configured tone and custom instructions. We do not send end-user email addresses, phone numbers, or other direct contact identifiers to the AI provider. See Section 7 for full details.
Service Improvement: Analyzing aggregate, de-identified usage patterns to improve recovery effectiveness and Service features.
Billing and Account Management: Processing subscription payments, managing your account, and communicating with you about the Service.
Legal Compliance: Meeting our legal obligations, resolving disputes, and enforcing our agreements.
Security: Detecting, preventing, and responding to fraud, abuse, and security incidents.

4. Legal Bases for Processing (GDPR Article 6)

For individuals in the European Economic Area (EEA), United Kingdom, and Switzerland, we rely on the following legal bases under the GDPR:

Processing Activity	Legal Basis
Providing the Service to merchants	Performance of a contract (Art. 6(1)(b))
Processing end-user data on behalf of merchants	Legitimate interests of the merchant (Art. 6(1)(f)) — specifically, recovering revenue from failed payments. The merchant, as data controller, is responsible for establishing their own legal basis with their customers.
Sending recovery emails/SMS to end users	Legitimate interests of the merchant (Art. 6(1)(f)) — recovering revenue from failed payments. We act as a processor under merchant instructions.
AI-generated content personalization	Legitimate interests of the merchant (Art. 6(1)(f)) — improving recovery success rates through personalized communication
Billing and subscription management	Performance of a contract (Art. 6(1)(b))
Service improvement with aggregate data	Legitimate interests (Art. 6(1)(f)) — improving the effectiveness of recovery communications
Legal compliance	Legal obligation (Art. 6(1)(c))
Security and fraud prevention	Legitimate interests (Art. 6(1)(f)) — protecting users and the Service from abuse

As a data processor, we process end-user personal data solely on the instructions of the merchant (data controller). Merchants are responsible for ensuring they have a valid legal basis to share their customers' data with RecoverKit and for providing any required notices to their customers.

Balancing test for legitimate interests: Where we rely on legitimate interests, we have assessed that the processing is necessary for the stated purpose, that there are no less intrusive means to achieve the same result, and that the processing does not override the fundamental rights and freedoms of data subjects. End users benefit from successful payment recovery because it prevents unintended service interruption.

5. Data Sharing & Sub-Processors

We do not sell, rent, or share personal data for cross-context behavioral advertising. We share data only with the following categories of service providers ("sub-processors") who are contractually obligated to protect it:

Sub-Processor	Purpose	Data Shared	Location
Stripe	Payment processing, OAuth account connection, Stripe Billing Portal links	Merchant account data, subscription billing data	United States
Resend	Transactional email delivery	End-user email addresses, email content (generated by AI)	United States
Twilio	SMS message delivery	End-user phone numbers, SMS content (generated by AI)	United States
Anthropic (Claude API)	AI content generation for recovery messages	Customer first names, payment amounts, plan names, failure context, merchant business name and tone settings. No email addresses, phone numbers, or other direct contact identifiers are shared.	United States
Railway	Application hosting and infrastructure	All Service data (encrypted at rest and in transit)	United States

We may also share data when required by law, to protect our legal rights, or in connection with a merger or acquisition (with prior notice to affected merchants).

5.1 Sub-Processor Change Notification

We will provide merchants with at least 30 days' advance written notice before adding or replacing a sub-processor that processes end-user personal data. The notice will identify the new sub-processor, describe the processing it will perform, and specify the anticipated date of engagement.

Merchants may object to a new sub-processor by notifying us in writing within 15 days of receiving the notice. If we cannot reasonably accommodate the objection, the merchant may terminate the affected Service within 30 days without penalty. Until termination takes effect or the objection is resolved, we will not engage the objected-to sub-processor for that merchant's data.

6. SMS Communications (TCPA Compliance)

RecoverKit enables merchants to send SMS-based payment recovery messages to their customers. The following terms apply to SMS communications sent through the Service:

Sender of record: SMS messages are sent on behalf of the merchant. The merchant is the sender of record for all SMS communications. RecoverKit acts solely as a technology service provider that facilitates message delivery; we are not the initiator or sender of SMS messages under the Telephone Consumer Protection Act (TCPA).
Merchant consent obligations: By enabling SMS recovery in RecoverKit, the merchant represents and warrants that it has obtained all necessary TCPA-compliant prior express consent (or prior express written consent, where required) from each end user before any SMS is sent. Merchants are solely responsible for maintaining records of such consent.
Opt-out: End users may opt out of SMS messages at any time by replying STOP to any message. We honor all opt-out requests immediately and maintain a suppression list. We will also honor opt-out requests sent to privacy@recoverkit.com.
Message frequency: End users may receive up to 4 SMS messages per failed payment event as part of a recovery sequence. Additional messages may be sent for separate payment failure events.
Message and data rates: Standard message and data rates may apply. RecoverKit does not charge end users for messages, but carriers may apply fees.
Content: SMS messages are transactional in nature and relate to an existing business relationship between the merchant and the end user. Messages contain payment recovery information and a link to update payment details.

7. AI & Automated Processing

RecoverKit uses Anthropic's Claude AI to generate personalized recovery emails and SMS messages. Here is how this works:

What we send to the AI: Customer first names, payment amounts, subscription plan names, payment failure reason codes, customer tenure, merchant business name, and merchant-configured tone and custom instructions. We do not send end-user email addresses, phone numbers, or other direct contact identifiers to the AI provider.
No AI training on your data: Under Anthropic's API terms of service, data submitted through the API is not used to train Anthropic's models. Your data and your customers' data are not used for AI training purposes.
Data minimization: We strip email addresses and other direct identifiers from AI prompts. Only the minimum data necessary for message personalization is shared.

7.1 Automated Decision-Making (GDPR Article 22)

RecoverKit employs automated decision-making to manage payment recovery sequences. The logic works as follows:

Detection: When a payment failure event is received from Stripe, the system automatically initiates a recovery sequence.
Sequence execution: A 4-step recovery sequence is executed over a configurable time period. Each step involves selecting a communication channel (email or SMS) based on available contact information and prior delivery outcomes.
Timing rules: Message timing is determined by preconfigured intervals (e.g., 1 hour, 24 hours, 72 hours, and 6 days after the initial failure). Merchants may customize these intervals.
Channel selection: The system automatically selects email or SMS based on availability of contact information, prior engagement, and merchant configuration.
Content generation: AI generates the message content based on the contextual data described above.

Human intervention: Merchants can configure tone, add custom instructions, adjust sequence timing, pause or disable sequences, and review all sent messages in their dashboard. Merchants act as the human-in-the-loop and can intervene at any point.

End-user rights: If you are an end user who has received a recovery message and wish to exercise your right to object to automated processing or request human review, please contact the merchant who uses RecoverKit. The merchant can pause automated recovery for your account. If you need further assistance, you may reach us at privacy@recoverkit.com.

8. Email Communications (CAN-SPAM Compliance)

Recovery emails sent through RecoverKit are transactional messages relating to an existing business relationship between the merchant and the end user (specifically, a failed payment on an active subscription). Under the CAN-SPAM Act, transactional messages are exempt from certain requirements that apply to commercial messages. Nonetheless, we apply the following practices:

Sender identification: All recovery emails clearly identify the merchant as the sender. The "From" name and address reflect the merchant's business identity.
Physical mailing address: All recovery emails include the merchant's physical address (if provided) or RecoverKit's address: 1234 Innovation Way, Suite 100, Wilmington, DE 19801.
Opt-out mechanism: Every recovery email includes a functional unsubscribe link. Opt-out requests are honored within 10 business days as required by law.
Accurate subject lines: Email subject lines accurately reflect the content of the message (payment recovery).
No deceptive headers: "From," "To," "Reply-To," and routing information accurately identify the merchant and originating domain.

9. International Data Transfers

RecoverKit is based in the United States and processes all data within the United States. If you are located outside the US, your data will be transferred to and processed in the US.

For transfers of personal data from the EEA, UK, or Switzerland to the US, we rely on:

Standard Contractual Clauses (SCCs): We use the European Commission's 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), specifically:
- Module 2 (Controller to Processor): For transfers from merchant (controller) to RecoverKit (processor).
- Module 3 (Processor to Processor): For transfers from RecoverKit to our sub-processors.
UK International Data Transfer Agreement (IDTA) / Addendum: For transfers from the UK, we supplement the SCCs with the UK IDTA or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office.
Transfer Impact Assessments (TIAs): We conduct Transfer Impact Assessments for international transfers to evaluate the legal framework of the recipient country and identify any supplementary measures needed to ensure an essentially equivalent level of protection.
Sub-processor commitments: Our sub-processors (Stripe, Resend, Twilio, Anthropic, Railway) maintain their own data transfer mechanisms, including SCCs, the EU-US Data Privacy Framework, and equivalent safeguards.

You may request a copy of applicable data transfer safeguards, including executed SCCs and TIA summaries, by contacting privacy@recoverkit.com.

10. Data Retention

We retain data only as long as necessary for the purposes described in this policy. The following table specifies retention periods by data category:

Data Category	Retention Period	Legal Basis / Justification
Merchant account data	Duration of account + 30 days after deletion	Contract performance; 30-day grace period for reactivation
End-user contact data (email, phone)	Up to 90 days after recovery sequence completion or merchant disconnection, whichever is first	Legitimate interests (completing recovery); contractual obligation to merchant
Payment failure details	Up to 90 days after recovery sequence completion	Legitimate interests (completing recovery); contractual obligation to merchant
Recovery message logs	Up to 12 months, then deleted or anonymized	Legitimate interests (analytics and troubleshooting for merchants)
AI-generated content	Up to 12 months (stored in message logs)	Legitimate interests (merchant analytics)
Automatically collected website data	Up to 12 months	Legitimate interests (service improvement)
Billing records	7 years	Legal obligation (tax and financial regulations)
SMS opt-out/suppression records	Indefinitely while Service is operational	Legal obligation (TCPA compliance)
Security and access logs	Up to 12 months	Legitimate interests (security and fraud prevention)

When data is no longer needed, it is permanently deleted or irreversibly anonymized. Merchants may request early deletion of their end-user data by contacting us; we will process such requests within 30 days, subject to any legal retention obligations.

11. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

Encryption in transit: All data transmitted between your browser, our servers, and third-party services uses TLS 1.2 or higher.
Encryption at rest: Stored data is encrypted using industry-standard encryption (AES-256).
Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis.
Minimal data collection: We collect only the data necessary to provide the Service. We do not access your full Stripe customer database.
OAuth scoping: Our Stripe integration uses the minimum required permissions.
Regular security reviews: We periodically review our security practices and update them as needed.

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. If you become aware of a security vulnerability, please contact us immediately at privacy@recoverkit.com.

12. Breach Notification

In the event of a personal data breach that affects data we process:

GDPR notification: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons, as required by GDPR Article 33. Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay (Article 34).
Merchant notification: We will notify affected merchants without undue delay after becoming aware of a breach involving their end-user data, providing sufficient detail for the merchant to fulfill its own notification obligations as data controller.
US state law compliance: We will comply with all applicable state breach notification laws, including but not limited to the California Civil Code Section 1798.82, and the notification requirements of Virginia, Colorado, Connecticut, Texas, Oregon, and other states where affected individuals reside.
Notification content: Breach notifications will include: (a) the nature of the breach, (b) categories and approximate number of data subjects affected, (c) likely consequences of the breach, and (d) measures taken or proposed to address the breach and mitigate its effects.

13. Your Rights

13.1 Rights Under GDPR (EEA, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Access (Art. 15): Request a copy of the personal data we hold about you.
Rectification (Art. 16): Request correction of inaccurate or incomplete data.
Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
Restriction (Art. 18): Request that we limit how we process your data.
Portability (Art. 20): Request your data in a structured, commonly used, machine-readable format.
Objection (Art. 21): Object to processing based on legitimate interests, including profiling.
Automated Decision-Making (Art. 22): Object to solely automated decisions that produce legal or similarly significant effects, and request human review. See Section 7.1 for details on our automated processing.
Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

End users: Because we act as a data processor, end users should first direct their requests to the merchant (data controller) who uses RecoverKit. If a merchant is unable to fulfill your request, or if you need further assistance, contact us at privacy@recoverkit.com. We will respond within 30 days.

13.2 GDPR Article 13/14 Supplemental Information

EU Representative: At present, RecoverKit does not meet the thresholds requiring appointment of an EU representative under GDPR Article 27 (we do not offer goods or services to, or monitor the behavior of, data subjects in the EU on a large scale). Should our processing activities reach the applicable thresholds, we will appoint an EU representative and update this policy accordingly.

Data Protection Officer: RecoverKit is not required to appoint a Data Protection Officer under GDPR Article 37, as our core activities do not consist of large-scale processing of special categories of data or large-scale systematic monitoring. For all privacy inquiries, contact privacy@recoverkit.com.

Right to lodge a complaint: If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

13.3 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), provides you with the following rights:

Right to Know: Request what personal information we have collected, used, disclosed, or sold about you in the past 12 months, including the categories and specific pieces of information.
Right to Delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
Right to Correct: Request correction of inaccurate personal information that we maintain about you.
Right to Opt-Out of Sale/Sharing: We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. No opt-out is necessary.
Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted under CPRA Section 1798.121. If we did, you would have the right to limit such use.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

Verification: To protect your privacy, we will verify your identity before fulfilling any CCPA/CPRA request. Verification may require you to confirm your email address associated with your account and provide additional identifying information. We will match the information you provide against our existing records.

Authorized agents: You may designate an authorized agent to make requests on your behalf. Authorized agents must submit written proof of authorization (such as a power of attorney or a signed written authorization from you). We may also require the consumer to verify their own identity directly.

Financial incentives: We do not offer financial incentives related to the collection or sale of personal information.

To exercise your rights, contact us at privacy@recoverkit.com. We will respond within the timeframes required by applicable law (30 days for GDPR, 45 days for CCPA/CPRA, extendable by an additional 45 days with notice).

13.4 Rights Under Other US State Privacy Laws

If you are a resident of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (CPA), or another US state with a comprehensive consumer privacy law, you may have the following rights (as applicable under your state's law):

Access: Confirm whether we are processing your personal data and obtain a copy of it.
Correction: Request correction of inaccuracies in your personal data.
Deletion: Request deletion of personal data you have provided or that we have obtained about you.
Portability: Obtain a copy of your personal data in a portable, readily usable format.
Opt-out: Opt out of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. Note: We do not engage in targeted advertising or the sale of personal data.

To exercise any of these rights, contact us at privacy@recoverkit.com. If your request is denied, you may appeal by contacting us with the subject line "Privacy Rights Appeal." We will respond to appeals within the timeframes required by your state's law.

13.5 California Shine the Light (Civil Code Section 1798.83)

California residents may request information regarding the disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes. If you are a California resident and wish to make such a request, contact us at privacy@recoverkit.com.

14. Cookies & Tracking Technologies

14.1 Landing Page (recoverkit.com)

Our public-facing landing page does not use cookies, tracking pixels, or third-party analytics scripts. No cookies are set when you visit the landing page.

14.2 Service Dashboard

If you log into the RecoverKit Service dashboard, we use the following cookies:

Essential/session cookies: Required for authentication, session management, and security. These cannot be disabled while using the Service.
Analytics cookies: We may use privacy-respecting analytics to understand how merchants use the dashboard. These do not track you across other websites and do not sell or share data with third parties.

We do not use advertising cookies, retargeting pixels, or third-party tracking scripts on any part of our Website or Service. We do not participate in cross-site tracking or ad networks.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from using the Service dashboard.

15. Children's Privacy

RecoverKit is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under the age of 13, and our Service is not designed to be used by children. In compliance with the Children's Online Privacy Protection Act (COPPA), if we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will promptly delete that information.

If you believe we have inadvertently collected data from a child under 13, please contact us at privacy@recoverkit.com and we will promptly investigate and delete it.

16. Data Processing Agreement

A separate Data Processing Agreement (DPA) is available for merchants who require one, particularly where required by GDPR Article 28 or other applicable data protection law. The DPA governs RecoverKit's processing of end-user personal data on the merchant's behalf and includes:

Subject matter, duration, nature, and purpose of processing
Types of personal data and categories of data subjects
Obligations and rights of the controller (merchant)
Sub-processor engagement terms and change notification procedures
Data return and deletion obligations
Standard Contractual Clauses as an annex (where applicable)

To request a copy of our DPA, contact privacy@recoverkit.com.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

We will update the "Effective Date" and "Last Updated" dates at the top of this page.
We will post the updated policy on our Website.

For material changes (changes that meaningfully alter the scope of data collected, the purposes of processing, your rights, or the parties with whom data is shared):

We will notify merchants via email at least 30 days before the changes take effect.
We will require merchants to affirmatively acknowledge the material changes (for example, by clicking an acceptance prompt in the dashboard) before the changes apply to their account. Continued use alone does not constitute acceptance of material changes.
If you do not accept the material changes, you may close your account before the new effective date.

For non-material changes (e.g., corrections, formatting, clarifications that do not alter the substance of the policy), updated terms become effective upon posting.

18. Dispute Resolution

Any disputes arising from this Privacy Policy are subject to the dispute resolution provisions in our Terms of Service. Please review the Terms of Service for details on governing law, arbitration, and venue.

For privacy-specific complaints from individuals in the EEA, UK, or Switzerland, you may lodge a complaint with your local supervisory authority, regardless of the dispute resolution provisions in the Terms of Service.

19. Contact Information

RecoverKit

1234 Innovation Way, Suite 100, Wilmington, DE 19801

Privacy Inquiries: privacy@recoverkit.com

General Support: support@recoverkit.com

For GDPR-related inquiries, please use the subject line "GDPR Request" when emailing privacy@recoverkit.com. We aim to respond to all privacy inquiries within 5 business days and to fulfill formal rights requests within the timeframes required by applicable law.