payrecoll
Log inStart free trial

Legal

Privacy Policy

Effective date: March 30, 2026

This policy explains what data payrecoll collects, why we collect it, how we protect it, and what rights you have over it.

1. Information We Collect

Account Data

When you create a payrecoll account we collect your email address and a hashed password. This is the minimum required to authenticate you and send you product-related notifications.

Stripe Connection Data

When you connect your Stripe account via Stripe Connect OAuth, we receive and store your Stripe account ID and access tokens. We use these tokens solely to read failed payment events and trigger payment-link generation on your behalf. We never access, store, or process your customers' full card numbers, CVVs, or bank account details - all payment credentials remain on Stripe's servers.

Failed Payment Data

Via Stripe webhooks we receive and store metadata about failed invoices, including: Stripe invoice IDs, invoice amounts and currencies, your customer's email address (as recorded in Stripe), and the timestamp of the failure.

Sequence & Branding Configuration

We store the dunning sequences you build - email copy, send schedules, subject lines - and any branding settings you upload (logo URL, brand colors, sender name). This data belongs to you and is used exclusively to personalize the outreach messages sent on your behalf.

Usage & Analytics Data

We collect aggregate usage metrics such as email delivery rates, open rates, click-through rates, and recovery amounts. We do not sell or share individual-level analytics with third parties.

2. How We Use Your Data

  • Service delivery: Authenticating you, triggering dunning sequences, generating payment retry links, and populating your recovery dashboard.
  • Transactional communications: Sending you receipts, sequence failure alerts, and security-related notices.
  • Product improvement: Analyzing aggregated, anonymized usage patterns to improve sequence effectiveness and product features.
  • Legal compliance: Meeting obligations under applicable law, including responding to lawful requests from public authorities.
  • Billing: Processing subscription payments through Stripe.

We do not sell your data, use it for advertising, or share it with data brokers under any circumstances.

3. Third-Party Services

payrecoll integrates with the following third-party processors to deliver the service:

Stripestripe.com

Payment infrastructure and Connect OAuth provider. PCI-DSS Level 1 certified.

Supabasesupabase.com

Database (Postgres), authentication, and realtime infrastructure. SOC 2 Type II certified.

Resendresend.com

Transactional email delivery. Receives recipient email, subject, and body for each dunning email.

Twiliotwilio.com

SMS delivery for Pro-tier dunning sequences. Receives phone number and message body.

Vercelvercel.com

Application hosting and edge infrastructure.

4. Data Storage & Security

All data is stored in encrypted Postgres databases on Supabase with encryption at rest and in transit (TLS 1.2+). Access to production databases is restricted to authenticated service accounts.

Stripe access tokens are stored encrypted and never exposed in client-side code or logs.

If we become aware of a breach that is likely to result in a risk to your rights, we will notify affected users within 72 hours as required by GDPR Article 33.

5. Cookies & Tracking

  • Authentication cookies: Set by Supabase Auth to maintain your session after login. Strictly necessary.
  • CSRF tokens: Short-lived tokens to protect form submissions from cross-site request forgery.

We do not use advertising cookies, third-party tracking pixels, or behavioral analytics tools.

6. Data Retention

  • Account data: Retained until you delete your account. Purged within 30 days after deletion.
  • Failed payment data: Retained for 12 months, then automatically deleted.
  • Dunning logs: Retained for 6 months to power your recovery dashboard.
  • Billing records: Retained for 7 years to comply with financial and tax regulations.
  • Stripe tokens: Revoked and deleted immediately upon disconnecting your Stripe account.

7. Your Rights (GDPR & CCPA)

If you are located in the EEA, UK, or California, you have these rights regarding your personal data:

  • Right to access: Request a copy of your personal data.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion, subject to legal retention obligations.
  • Right to restriction: Request that we limit processing in certain cases.
  • Right to portability: Request your data in a machine-readable format.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, email robert.sinski@outlook.com with the subject "Privacy Request". We will respond within 30 days.

8. International Data Transfers

Your data may be transferred to and processed in countries outside your jurisdiction. Our sub-processors participate in the EU-US Data Privacy Framework or rely on Standard Contractual Clauses approved by the European Commission.

9. Children's Privacy

payrecoll is a B2B service. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with personal data, contact robert.sinski@outlook.com and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes we will notify you by email at least 14 days before the change takes effect. Continued use after the effective date constitutes acceptance.

11. Contact Us

payrecoll

Email: robert.sinski@outlook.com

Subject line: "Privacy Request"

If you are in the EEA and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local supervisory authority.