Effective date: March 11, 2026

Privacy
Policy

Recurflux is operated by Yash Amin, trading as Recurflux (“we,” “our,” or “us”). We operate recurflux.com and the Recurflux payment recovery service. This policy explains what data we collect, how we use it, and what rights you have over it. For any privacy matter, contact us at [email protected].

We designed Recurflux to touch as little sensitive data as possible. Card numbers never pass through our servers. We store metadata - failure codes, retry schedules, email logs - not payment credentials.

What we collect

When you connect your payment processor, we collect and store:

• →Your account email address and first name
• →Your payment processor type (e.g. Stripe, Paddle, Razorpay, RevenueCat) and account ID
• →Failed charge metadata: customer IDs, charge amounts, failure codes, timestamps
• →Retry scheduling data: attempt count, next retry time, outcome
• →Dunning email logs: sent timestamps, open/click events (no email body content stored)
• →Your monthly revenue range (MRR bracket, as provided during signup)

We do not collect or store:

• →Full card numbers, CVVs, or expiry dates - card data goes directly to your processor
• →Your customers' personal information beyond what your processor exposes in charge metadata
• →Passwords to your payment processor — you provide a restricted API key; we never ask for or store your processor login credentials

How we use your data

• →To operate the retry engine: scheduling retries based on failure codes
• →To send dunning emails on your behalf (from your domain, as configured)
• →To generate recovery analytics: recovered MRR, at-risk payments, recovery rate
• →To show you the 90-day historical sync on first connect
• →To communicate with you about your account, product updates, and early access status

We do not sell your data. We do not use your data to train AI models. We do not share your data with third parties except as described in the section below.

Sub-processors and third-party services

We work with a small number of third-party services to deliver Recurflux. The current services are:

• →Payment processors (Stripe, Paddle, Razorpay, and RevenueCat – currently supported; Chargebee and Braintree on roadmap) – to read charge data and trigger retries via their APIs
• →Email delivery (Resend / Postmark) - to deliver dunning emails from your configured domain
• →Transactional and onboarding email (Brevo) - to manage account contacts and send onboarding sequences
• →Hosting infrastructure (Railway) - our servers and database run on Railway with encryption at rest
• →Error monitoring (Sentry) - to capture application errors and performance issues; no customer payment data is included in error payloads
• →Marketing site traffic analytics (Plausible Analytics) - we use Plausible Analytics, a cookieless, privacy-respecting tool that does not collect personal data, does not use cookies, and does not track individuals across sites. No cookie consent banner is required for Plausible under GDPR or the ePrivacy Directive.
• →Product analytics and session recording (Mixpanel) — we use Mixpanel to track events, measure feature usage, and record sessions across the marketing site and application. Mixpanel places first-party analytics cookies on your device and may process your IP address, browser type, device identifiers, and clickstream data. Session recordings are used solely to improve the product and are not shared with third parties. Data is transferred to and processed in the United States by Mixpanel, Inc. See mixpanel.com/legal/privacy-policy.

The API keys you provide to connect your processor are encrypted at rest using AES-256, with the encryption key stored separately from the database. They are never logged or exposed in plaintext at any point.

PCI compliance and card data

The hosted payment update portal uses your processor’s PCI-compliant card collection flow. Card data is submitted directly to the processor via their client-side SDK. Recurflux never receives, transmits, or stores raw card numbers, CVVs, or expiry dates.

Each payment portal link is secured by a signed JWT token that is unique per customer, expires after 48 hours, and is non-transferable. Tokens are generated server-side and never logged in plaintext.

Data retention

We retain your account and charge metadata for as long as your Recurflux account is active. If you cancel your account, we delete all associated data within 30 days.

You can request deletion of your data at any time by emailing [email protected]. We will confirm deletion within 10 business days.

Lawful basis for processing (GDPR Article 6)

If you are located in the European Economic Area (EEA), we process your personal data under the following lawful bases:

• →Contract performance (Article 6(1)(b)) - processing necessary to provide the Recurflux service you have signed up for, including operating the retry engine, sending dunning emails, and generating your recovery dashboard.
• →Legitimate interests (Article 6(1)(f)) - processing your email and account data to send product updates, early access communications, and transactional notices. You can opt out of non-essential communications at any time.
• →Consent (Article 6(1)(a)) - where we have asked for your explicit consent, such as creating an account. You may withdraw consent at any time by contacting [email protected].

Recurflux acts as a data processor on behalf of merchants who connect their payment processor accounts. In that capacity, we process their customers’ charge metadata under the instructions of the merchant (the data controller). Merchants’ end customers are the data subjects. A Data Processing Agreement (DPA) governing this relationship is presented at account connection and available at any time.

Transfers of EEA personal data to Recurflux’s US-based infrastructure are conducted under the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914, Module Two: Controller-to-Processor), incorporated into the DPA. A copy is available upon request.

EU Representative (Article 27 GDPR): Recurflux is a small, early-stage operator currently processing EU personal data on a limited scale. We are in the process of designating a formal EU representative as our EU customer base grows. In the meantime, all GDPR-related requests from EU residents can be directed to [email protected] and will be handled with the same response times and obligations as if a representative were in place.

If you have questions about how we handle EEA personal data, contact us at [email protected].

California privacy rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• →Right to know - you may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purpose, and with whom we share it.
• →Right to delete - you may request deletion of your personal information, subject to certain exceptions (e.g. completing a transaction, detecting security incidents).
• →Right to correct - you may request correction of inaccurate personal information we hold.
• →Right to opt out of sale or sharing - we do not sell or share your personal information with third parties for cross-context behavioral advertising. There is nothing to opt out of, but you may contact us to confirm.
• →Right to non-discrimination - exercising any of the above rights will not result in any difference in the service we provide to you.

Categories of personal information collected: identifiers (email, name), commercial information (MRR bracket, processor type), and internet or other electronic network activity (charge metadata, retry logs). We do not collect sensitive personal information as defined by the CPRA.

To exercise any California privacy right, contact us at [email protected] with “California Privacy Request” in the subject line. We will respond within 45 days.

Other US state privacy rights

Several US states have enacted comprehensive privacy laws that may grant you additional rights depending on your state of residence, including Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and Florida (FDBR), among others. While the specific rights vary by state, they generally include the right to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of certain processing activities.

Recurflux does not sell personal data or use it for targeted advertising. If your state’s privacy law grants you rights beyond those described in this policy, contact us at [email protected] with your state and the right you wish to exercise and we will respond within the timeframe required by your state’s law.

Minimum age

Recurflux is a business-to-business service intended solely for use by individuals who are at least 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a person under 18, contact us at [email protected] and we will delete it promptly.

Your rights

You have the right to:

• →Access the data we hold about you
• →Request correction of inaccurate data
• →Request deletion of your data
• →Export your data in a portable format
• →Withdraw consent for email communications at any time

To exercise any of these rights, contact us at [email protected].

United Kingdom — UK GDPR and Data Protection Act 2018

If you are located in the United Kingdom, your personal data is processed under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The lawful bases, data subject rights, and processor obligations described in the EEA/GDPR section above apply equally to UK residents.

The supervisory authority for the UK is the Information Commissioner’s Office (ICO). You have the right to lodge a complaint with the ICO at any time at ico.org.uk.

Transfers of personal data from the UK to our US-based infrastructure are conducted under the UK International Data Transfer Agreement (IDTA) or equivalent safeguards as applicable under UK adequacy regulations.

Canada — PIPEDA and Quebec Law 25

If you are located in Canada, we collect, use, and disclose your personal information in accordance with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and, where applicable, provincial privacy legislation including Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“Law 25”), effective September 2023.

Under PIPEDA and applicable provincial law, you have the right to:

• →Access personal information we hold about you and request a copy
• →Request correction of inaccurate or incomplete information
• →Withdraw consent for non-essential processing (subject to legal or contractual restrictions)
• →Lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca

Quebec residents have additional rights under Law 25, including the right to request de-indexing of information that identifies them and the right to data portability in a structured, commonly used format. Recurflux will conduct privacy impact assessments for new high-risk processing activities as required by Law 25.

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm, we will notify the OPC and all affected individuals in accordance with PIPEDA’s breach notification requirements.

Australia — Privacy Act 1988 and Australian Privacy Principles

If you are located in Australia, we handle your personal information in accordance with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (“APPs”).

Under the APPs, you have the right to:

• →Access personal information we hold about you (APP 12)
• →Request correction of incorrect, outdated, or incomplete information (APP 13)
• →Make a privacy complaint to us — we will respond within 30 days
• →Escalate an unresolved complaint to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au

Cross-border disclosure: we disclose personal information to third-party services located in the United States. Before doing so, we take reasonable steps to ensure those recipients handle the information in a manner consistent with the APPs (APP 8.1).

Under the Notifiable Data Breaches (NDB) scheme, if a data breach is likely to result in serious harm to any individual whose information is involved, we will notify the OAIC and affected individuals as soon as practicable.

Brazil — Lei Geral de Proteção de Dados (LGPD)

If you are located in Brazil, we process your personal data in accordance with the Lei Geral de Proteção de Dados (“LGPD” — Law No. 13,709/2018), enforced by the Autoridade Nacional de Proteção de Dados (“ANPD”).

We process your personal data under the following lawful bases under the LGPD:

• →Contract performance (Art. 7, V) — processing necessary to provide the Recurflux service you contracted.
• →Legitimate interests (Art. 7, IX) — processing your account data to send transactional notices and product updates, balanced against your privacy interests.
• →Consent (Art. 7, I) — where we have asked for explicit consent, such as creating an account. You may revoke consent at any time.

Under the LGPD, you have the right to:

• →Confirmation of whether we process your personal data
• →Access to your personal data
• →Correction of incomplete, inaccurate, or outdated data
• →Anonymization, blocking, or deletion of unnecessary or excessive data
• →Portability of your personal data to another service provider
• →Information about third parties with whom we share your data
• →Revocation of consent at any time

To exercise any of these rights, contact us at [email protected] with “LGPD Request” in the subject line. We will respond within 15 days. In the event of a security incident that may cause risk or harm to data subjects, we will notify the ANPD and affected individuals within the timeframes required by applicable ANPD regulations.

Indian users — Digital Personal Data Protection Act, 2023

If you are located in India, the following applies under the Digital Personal Data Protection Act, 2023 (“DPDPA”) and the Digital Personal Data Protection Rules, 2025, enforced by the Data Protection Board of India. The IT Act, 2000 and SPDI Rules, 2011 continue to apply where not superseded by the DPDPA.

Recurflux acts as a Data Fiduciary in respect of Indian users who create accounts and as a Data Processor in respect of your end customers’ charge metadata processed on your behalf. As a Data Fiduciary, we provide the following notice:

• →What personal data we collect: your email address, name, payment processor type, account ID, and MRR bracket — as described in the Data We Collect section above.
• →Purpose of processing: to operate the payment recovery service, send transactional and onboarding communications, and generate your recovery analytics dashboard.
• →How to exercise your rights: by contacting [email protected]. We will respond within 30 days.

Rights of Data Principals under the DPDPA:

• →Right to information: you may request confirmation of whether we process your personal data and obtain a summary of it.
• →Right to correction and erasure: you may request correction of inaccurate or incomplete personal data, or erasure of personal data that is no longer necessary for the purpose for which it was collected.
• →Right to grievance redressal: you may raise a complaint with us as described below. If your complaint is not resolved, you may escalate to the Data Protection Board of India.
• →Right to nominate: you may nominate another individual to exercise your DPDPA rights on your behalf in the event of your death or incapacity, by contacting [email protected].

Charge metadata and financial transaction data we process may constitute sensitive personal data under the SPDI Rules. We process such data only to the extent necessary to deliver the payment recovery service. You may withdraw consent at any time by contacting us, subject to any pending retry or dunning sequence in progress.

Cross-border transfer of your data to our US-based infrastructure is carried out on the basis that such transfer is necessary for performance of your contract with us, consistent with the DPDPA and applicable government notifications regarding permitted transfer destinations.

Grievance Officer (India)

In accordance with Rule 5(9) of the SPDI Rules under the IT Act, 2000, the Grievance Officer for India is:

Changes to this policy

If we make material changes to this policy, we will notify you by email at least 14 days before the changes take effect. The effective date at the top of this page reflects the most recent update.