Effective date: March 15, 2026  ·  Version 1.1

Data Processing
Agreement

Parties to this agreement

This Data Processing Agreement (“DPA”) is entered into between:

• →Data Controller: the merchant who has connected a payment processor account to Recurflux ("you" or "Merchant"). The Merchant determines the purposes and means of processing their customers' personal data.
• →Data Processor: Recurflux, the operator of recurflux.com ("Recurflux," "we," or "us"). Recurflux processes personal data solely on the instructions of the Merchant.
• →Data Subjects: the Merchant's end customers whose failed charge metadata, email addresses, and subscription data are processed by Recurflux under this DPA.

This three-party structure means: you (the Merchant) are responsible for the lawfulness of collecting your customers’ data and for having a valid legal basis to share it with Recurflux. Recurflux acts only as an extension of your instructions and has no independent right to use end-customer data for any purpose other than delivering the payment recovery service.

Data Processor identity: Recurflux is operated by Yash Amin, trading as Recurflux. Contact for all DPA-related matters: [email protected].

This DPA is incorporated into and forms part of the Terms of Service between the parties. By connecting your payment processor account to Recurflux, you agree to this DPA on behalf of yourself and any organization you represent.

What data we process and why

Recurflux processes personal data solely to provide the payment recovery service you have configured. The categories of personal data processed are:

• →Your customers' email addresses - used to send dunning email sequences on your behalf.
• →Failed charge metadata - customer IDs, charge amounts (in cents), failure codes, timestamps - used to schedule and execute retry attempts.
• →Retry outcome data - attempt number, scheduled time, executed time, outcome code - used to generate your recovery dashboard and audit trail.
• →Payment portal access tokens - signed JWTs tied to specific failed charges - used to give your customers a secure link to update their payment method.
• →Subscription pause data - pause start date, pause duration, and scheduled resumption date - used to pause and resume subscriptions at customer request via the payment portal.

We do not process: full card numbers, CVVs, expiry dates, bank account numbers, or any payment credential that would bring Recurflux within PCI-DSS scope beyond SAQ-A.

Processing is carried out exclusively on your documented instructions. We will not process personal data for any other purpose, including our own marketing or product analytics, without your explicit written consent.

Retention and deletion

Recurflux retains personal data for as long as your Recurflux account remains active and for the period necessary to complete any pending retry or dunning sequence.

• →On account cancellation: all personal data associated with your account is deleted within 30 days of cancellation.
• →On your written request: we will delete or return all personal data within 10 business days.
• →Aggregated, anonymized analytics (e.g. aggregate recovery rates with no customer identifiers) may be retained indefinitely.

To request early deletion, contact [email protected] with “Data Deletion Request” in the subject line.

Technical and organizational security measures

Recurflux implements the following measures to protect personal data:

• →Encryption at rest: all personal data stored in the database is encrypted at rest.
• →Encryption in transit: all data transmitted between Recurflux and third-party services uses TLS 1.2 or higher.
• →API key encryption: processor API keys provided by merchants to connect their account (Stripe, Paddle, Razorpay, RevenueCat) are encrypted at rest using AES-256, with the encryption key stored separately from the database and never logged or exposed in plaintext.
• →Access control: database and infrastructure access is restricted to authorized personnel only, with 2FA required on all administrative accounts.
• →Webhook signature verification: all webhook events from connected processors are verified before processing — Stripe, Paddle, and Razorpay via HMAC-SHA256 signature validation; RevenueCat via constant-time shared-secret verification.
• →JWT security: payment portal tokens are signed, carry a 48-hour expiry, and are tied to a specific payment failure record.

Audit rights (GDPR Article 28(3)(h))

In accordance with GDPR Article 28(3)(h), Recurflux shall make available to the Merchant all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Merchant or an auditor mandated by the Merchant.

• →Information requests: Merchant may request documentation of Recurflux's technical and organizational security measures, sub-processor agreements, and data processing practices at any time by emailing [email protected] with "DPA Audit Request" in the subject line. Recurflux will respond within 15 business days.
• →Remote audits: Merchant may conduct a remote audit (document review, written questionnaire) once per calendar year, or at any time following a confirmed personal data breach. Recurflux will cooperate fully.
• →On-site audits: on-site inspections require 30 days written notice and are subject to reasonable restrictions to protect confidentiality and security of other customers. Audit costs are borne by the Merchant unless the audit reveals a material breach of this DPA.
• →Third-party certifications: where Recurflux holds relevant third-party security certifications or assessments, these may satisfy Merchant's audit obligations in whole or in part, at Merchant's discretion.

Sub-processor notification and objection

In accordance with GDPR Article 28(2), Recurflux will inform the Merchant of any intended changes to the sub-processors listed in the Privacy Policy — including additions and replacements — giving the Merchant the opportunity to object to such changes.

• →Notice method: Recurflux will send notification of sub-processor changes to the email address associated with the Merchant's Recurflux account at least 14 days before the new sub-processor begins processing personal data.
• →Right to object: Merchant may object to a sub-processor change by emailing [email protected] within 14 days of receiving the notice. Objections must state the specific data protection grounds for the objection.
• →Resolution: if the parties cannot resolve a legitimate objection within 30 days, Merchant may terminate the DPA and associated Terms of Service on written notice, with a pro-rata refund of any prepaid subscription fees for the unused period.
• →No objection: if no objection is raised within the 14-day notice period, the sub-processor change is deemed accepted.

The current sub-processor list is maintained in the Privacy Policy under “Sub-processors and third-party services.”

Personal data breach notification

In the event of a personal data breach affecting your customers’ data, Recurflux will:

• →Notify you by email within 72 hours of becoming aware of the breach (in line with GDPR Article 33 timelines).
• →Provide in that notification: the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach.
• →Cooperate fully with your investigation and any regulatory notification obligations you have as the data controller.

Breach notifications will be sent to the email address associated with your Recurflux account. It is your responsibility to keep that address current.

Merchant obligations

As the data controller, you are responsible for:

• →Ensuring you have a lawful basis under applicable privacy law to share your customers' personal data with Recurflux for processing.
• →Ensuring your own Privacy Policy discloses that customer payment data may be processed by a third-party recovery service.
• →Handling any data subject access, deletion, or portability requests from your customers that require you to also request action from Recurflux.
• →Notifying Recurflux immediately if you become aware of any unauthorized use of your account credentials or OAuth connection.

Cross-border data transfers

Recurflux’s infrastructure and third-party services are located in the United States. Where personal data originates from the European Economic Area (EEA) or the United Kingdom, Recurflux relies on the following transfer mechanisms:

• →Standard Contractual Clauses (SCCs) — Recurflux incorporates the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor) into this DPA. By accepting this DPA, Merchant and Recurflux are deemed to have executed the SCCs with Recurflux as the importer and Merchant as the exporter.
• →UK International Data Transfer Agreement (IDTA) — for transfers of UK personal data, Recurflux relies on the UK IDTA as approved by the Information Commissioner's Office (ICO), incorporated into this DPA by reference.
• →Third-party service transfers — Recurflux ensures that each third-party service receiving EEA or UK personal data is either located in an adequacy country or bound by SCCs or equivalent transfer mechanisms.

A copy of the applicable SCCs and IDTA addendum is available upon request by emailing [email protected].

Governing law

This DPA is governed by the same law as the Terms of Service. For merchants located in the EEA or UK, this DPA is additionally subject to GDPR (Regulation (EU) 2016/679) and the UK GDPR as applicable.

For merchants located in India, this DPA is additionally subject to the Digital Personal Data Protection Act, 2023 (“DPDPA”) and the Digital Personal Data Protection Rules, 2025, enforced by the Data Protection Board of India. The IT Act, 2000 and SPDI Rules, 2011 continue to apply where not superseded by the DPDPA.

Under the DPDPA: Recurflux acts as a Data Processor (“Data Processor” as defined under the DPDPA) processing personal data of Indian data principals exclusively on the instructions of the Merchant (the Data Fiduciary). Recurflux will:

• →Process personal data only for the purposes described in this DPA and as instructed by the Merchant.
• →Implement reasonable security safeguards as required under the DPDPA Rules.
• →Notify the Merchant within 72 hours of becoming aware of a personal data breach, to enable the Merchant to meet its notification obligations to the Data Protection Board and affected data principals.
• →Delete personal data upon Merchant's request or on account cancellation, as described in the Duration section of this DPA.
• →Not engage a sub-processor for processing Indian personal data without informing the Merchant in advance, consistent with the sub-processor notification mechanism described in this DPA.

Transfer of personal data belonging to Indian residents to Recurflux’s US-based infrastructure is carried out on the basis that such transfer is necessary for performance of the contract between the Merchant and their customers, consistent with the DPDPA and applicable government notifications regarding permitted transfer destinations. Recurflux will notify Merchants at least 30 days in advance of any infrastructure changes required by future data localization requirements.

For merchants located in Canada, this DPA is additionally subject to the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and, where applicable, Quebec’s Act respecting the protection of personal information in the private sector (Law 25). Recurflux acts as a “service provider” under PIPEDA and processes personal data solely for the purposes described in this DPA on your documented instructions.

For merchants located in Australia, this DPA is additionally subject to the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”). Recurflux processes personal data of Australian individuals in accordance with APP 8 (cross-border disclosure) on the basis that you, as the APP entity disclosing the data, have taken reasonable steps to ensure Recurflux handles it in a manner consistent with the APPs.

For merchants located in Brazil, this DPA is additionally subject to the Lei Geral de Proteção de Dados (“LGPD”, Lei nº 13.709/2018). Recurflux acts as an “operador” (operator/processor) under the LGPD, processing personal data exclusively on your instructions as the “controlador” (controller). Processing is carried out on the lawful basis of contract performance (Article 7(V) LGPD). Breach notifications to Brazilian merchants will be issued within 72 hours to allow you to meet any reporting obligations to the Autoridade Nacional de Proteção de Dados (“ANPD”).

Questions about this DPA can be directed to [email protected].