Privacy Policy

1. Introduction

PayReclaim ("we," "us," or "our") operates the PayReclaim platform at payreclaim.com, an AI-powered payment recovery service for SaaS businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using PayReclaim, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, company name, and password (stored in hashed form). You may also provide optional profile information such as your role and company website.

2.2 Payment & Billing Data

We use Stripe as our payment processor. When you subscribe to a paid plan, Stripe collects your payment card details directly. We never store full card numbers on our servers. We receive and store your Stripe customer ID, subscription status, plan tier, and billing history from Stripe.

2.3 Stripe Connect Data (Your Customers)

To recover failed payments on your behalf, you connect your Stripe account via Stripe Connect (OAuth). Through this connection, we access:

• Failed charge and invoice data (amounts, dates, failure reasons)
• Customer names, email addresses, and subscription details
• Payment method metadata (card brand, last four digits, expiration)
• Subscription and plan information

We access this data solely to identify failed payments and orchestrate recovery campaigns. We do not sell, share, or use your customers' data for any purpose other than operating the Service.

2.4 Usage & Analytics Data

We automatically collect information about how you interact with the Service, including pages visited, features used, recovery campaign performance, session duration, browser type, operating system, IP address, and referring URLs.

2.5 Email Sending Data

We use Resend as our email delivery provider to send recovery nudge emails to your customers and transactional emails to you. Resend processes recipient email addresses, email content, delivery status, open rates, and click-through data on our behalf.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the PayReclaim Service
• Monitor and recover failed payments from your Stripe account
• Send AI-generated recovery emails to your customers on your behalf
• Process your subscription payments and manage billing
• Provide customer support and respond to inquiries
• Analyze usage patterns to improve the Service
• Generate aggregated, anonymized analytics and benchmarks
• Send transactional emails (account confirmations, password resets, recovery reports)
• Detect, prevent, and address fraud, abuse, or technical issues
• Comply with legal obligations

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract performance: Processing necessary to provide you with the Service you have subscribed to
• Legitimate interests: Analytics, fraud prevention, and service improvement, balanced against your privacy rights
• Legal obligation: Compliance with applicable laws, tax requirements, and regulatory requests
• Consent: Where required, such as for marketing communications (which you may withdraw at any time)

5. Third-Party Services

We share data with the following categories of third-party service providers, each acting as a data processor under appropriate data processing agreements:

6. Cookies & Tracking Technologies

We use the following types of cookies:

• Essential cookies: Required for authentication, session management, and security. Cannot be disabled.
• Functional cookies: Remember your preferences such as dashboard layout and timezone settings.
• Analytics cookies: Help us understand how you use the Service so we can improve it. You can opt out.

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings.

7. Data Retention

We retain your data according to the following schedule:

• Account data: Retained for the duration of your account plus 30 days after deletion request
• Stripe Connect data: Deleted within 30 days of disconnecting your Stripe account or closing your PayReclaim account
• Recovery campaign data: Retained for 12 months after campaign completion for reporting purposes, then anonymized
• Email delivery logs: Retained for 90 days, then automatically purged
• Server logs: Retained for 30 days for security and debugging purposes
• Billing records: Retained for 7 years as required by tax and accounting regulations

8. Data Security

We implement industry-standard security measures to protect your data, including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for data at rest
• Supabase Row Level Security (RLS) policies for data isolation
• OAuth 2.0 for Stripe Connect (we never store your Stripe credentials)
• Bcrypt password hashing with salting
• Regular security audits and dependency vulnerability scanning
• Principle of least privilege for internal access controls

While we strive to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights

Under the GDPR, UK GDPR, and other applicable data protection laws, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing: Request temporary restriction of data processing
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at legal@payreclaim.com. We will respond within 30 days as required by law.

10. International Data Transfers

Your data is primarily stored in the European Union (eu-central-1). Where data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

11. Children's Privacy

PayReclaim is a business-to-business service and is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Data Protection Officer

For privacy-related inquiries, data subject requests, or complaints about our data handling practices, contact our Data Protection Officer:

If you believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection supervisory authority.