Legal
Privacy Policy
- Effective date:
- Last updated:
Privacy Policy — RecoverStack
Effective date: 2026-05-04 Last updated: 2026-05-04 Operating entity: RecoverStack LLC, a Wyoming limited liability company
1. Who we are and how to reach us
This Privacy Policy describes how RecoverStack LLC (a Wyoming limited liability company) collects, uses, discloses, and protects your personal data.
Contact:
- Email: [email protected]
- Postal: RecoverStack LLC, 1021 E Lincolnway Suite #10243, Cheyenne, Wyoming 82001, United States
Yarin Goldstein is the founder and primary point of contact for privacy questions.
2. Personal data we collect
We process two categories of personal data:
Customer data (you, our user):
- Name, email address, company name, country
- Account credentials (managed by Supabase Auth)
- Stripe Connect account ID and OAuth scopes you grant
- Billing address and payment method details (handled by Stripe; we receive only last-4, brand, expiration)
- IP address, browser metadata, login history (security purposes)
- Communications you send us (email support, in-app messages)
End-customer data (your customers, the people whose payments are being recovered):
- Email address, name (provided by your Stripe account)
- Stripe customer ID, subscription ID
- Payment outcomes (charge attempts, success/fail, decline codes)
- Email opens, clicks, and reply data for outreach we send on your behalf
- We do NOT receive or store your customers' card numbers, CVV/CVC, or other cardholder data
3. How we collect personal data
- Directly from you when you sign up, configure your account, or contact support
- From Stripe via webhook events and Connect API calls authorized by you
- From Resend (our transactional email provider) when emails we send are opened, clicked, or replied to
- Automatically via standard server logs when you use our dashboard or API
4. Why we process personal data (lawful bases)
| Purpose | Lawful basis |
|---|---|
| Provide the RecoverStack service to you (the customer) | Contract — you signed up |
| Process your customers' failed-payment data on your behalf | Contract + your representations under our ToS that you have a lawful basis |
| Send you transactional service emails | Contract / legitimate interest |
| Send you marketing emails about RecoverStack | Consent (opt-out anytime) |
| Comply with legal obligations | Legal obligation |
| Investigate fraud, abuse, security incidents | Legitimate interest |
| Improve the service via aggregated analytics | Legitimate interest |
For end-customer data, RecoverStack acts as a Data Processor; you (the customer) are the Data Controller. You are responsible for the lawful basis under which you provide that data to us. A Data Processing Agreement is available at [email protected].
5. Stripe Privacy Policy
We rely heavily on Stripe for payment processing. Please review Stripe's Privacy Policy in addition to ours. Stripe processes cardholder data, billing addresses, and payment metadata directly. RecoverStack does not control how Stripe handles this information.
6. Sub-processors
We use the following sub-processors to deliver the service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe Inc. | Payment processing, Connect platform | United States |
| Supabase Inc. | Database (PostgreSQL) and authentication | United States, EU regions available |
| Upstash Inc. | Redis (job queue and caching) | United States |
| Railway Corp. | Application hosting | United States |
| Cloudflare Inc. | DNS, CDN, marketing site hosting | Global edge network |
| Resend Inc. | Transactional and recovery email delivery | United States |
| Smartlead AI | Cold email outreach (RecoverStack-side marketing only; NOT used for your customer outreach) | United States |
| Sentry (Functional Software) | Error tracking and alerting | United States, with EU region available |
| Google LLC (Workspace) | Founder email + admin | United States |
We may add or change sub-processors. We will give you 30 days notice of any material change, including via your dashboard and via email if you have opted into product updates.
7. International transfers
RecoverStack LLC is a US entity. Most of our sub-processors are US-based. If you are in the European Union, the United Kingdom, Israel, or another jurisdiction with cross-border data-transfer protections, your personal data is transferred to the United States.
For EU/UK transfers, we rely on:
- Standard Contractual Clauses (SCCs) with sub-processors that have not adopted equivalent measures
- Stripe's GDPR adequacy posture for payment-related data
For Israeli transfers, we rely on the consent-and-service-necessity basis under Privacy Protection Law and the cross-border-transfer log we maintain internally per Amendment 13.
8. Data retention
We retain personal data for as long as necessary to provide the service plus a rolling reasonable period for business-record purposes:
| Data type | Retention |
|---|---|
| Active account data | Lifetime of your account |
| Failed-payment / recovery-attempt records | 90 days after subscription termination, then hard-deleted |
| Webhook event records | 12 months for audit and dispute resolution, then hard-deleted |
| Email logs (open / click / reply) | 18 months, then hard-deleted |
| Server access logs | 90 days |
| Support email correspondence | 24 months |
| Billing records | 7 years (US tax-record requirement) |
You can request earlier deletion at any time at [email protected]. We will complete deletion within 30 days, retaining only what is legally required.
9. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Restrict or object to processing
- Receive a portable copy of your data
- Withdraw consent for processing based on consent
- Lodge a complaint with a supervisory authority
For EU residents: contact your national data-protection authority. For Israeli residents: the Privacy Protection Authority (PPA).
To exercise any right, email [email protected]. We will respond within 30 days.
10. Cookies and tracking
The RecoverStack landing site (recoverstack.dev) and dashboard (app.recoverstack.dev) use:
- Essential cookies: session, CSRF, authentication. Cannot be disabled (the service breaks without them).
- Analytics cookies: Cloudflare Analytics (aggregated, no individual tracking). Disabled by default; respects Do-Not-Track.
- No third-party advertising or marketing cookies.
A cookie banner on first visit lets EU/UK visitors accept or reject non-essential cookies. The choice is stored in a cookie itself. You can change your preferences anytime via the cookie-settings link in the footer.
For a complete list of cookies we set, see our Cookie Policy.
11. Security
We protect personal data with:
- TLS 1.2+ for all data in transit
- Encryption at rest (Supabase-provided, plus per-field encryption for sensitive identifiers)
- Row-Level Security on all production database tables (per ORCH-011 internal controls)
- Multi-factor authentication on all founder and admin accounts
- Sentry error monitoring with payload-data redaction (we never log card data, even by accident)
- Regular dependency-vulnerability scans
- Internal trade-secret inventory and access controls
No security is perfect. If we discover a personal-data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours of becoming aware (per GDPR / Amendment 13).
12. Children's data
RecoverStack is a B2B service. We do not knowingly collect data from anyone under 16. If you believe we have collected data from a child, contact [email protected] and we will delete it immediately.
13. Changes to this Policy
We will update this Policy as the service evolves. Material changes will be communicated with at least 30 days notice via email and via a dated banner at the top of this page.
14. Contact
For privacy questions, data subject requests, or to request our Data Processing Agreement:
- Email: [email protected]
- Postal: RecoverStack LLC, 1021 E Lincolnway Suite #10243, Cheyenne, Wyoming 82001, United States