Security & Trust
What RecoverStack can and can't do with your Stripe account
You're connecting a payment account to a tool built by a solo founder. That deserves straight answers, not badges. Here is exactly how your data is handled, what access RecoverStack requests, and what it can never do.

A real person is accountable for this product. If something looks wrong, email me directly at [email protected].
Read-only by design
RecoverStack requests read access plus the ability to run the retries you configure. It cannot move money or change your account.
| What it can do | What it can never do |
|---|---|
| Read your charges, invoices, and subscriptions | Create, modify, or refund any charge |
| Read the decline code on a failed payment | See full card numbers, CVCs, or expiry dates |
| Read customer email + metadata to send recovery emails | Create or delete customers on your account |
| Read your payout schedule for retry timing | Move, pause, or touch your payouts |
| Run retries on the schedule you configure | Change any of your Stripe account settings |
In plain terms: RecoverStack never refunds, never creates charges, never touches your payouts, and never sees card numbers. What it actually does is run retries on the schedule you set and send dunning (recovery) emails when a payment fails.
Card data never touches our servers
When a customer updates a card, they do it inside Stripe's own hosted Elements iframe. The card number, CVC, and expiry go straight from the browser to Stripe. RecoverStack only ever sees the card brand, last four digits, and expiry month that Stripe returns. PANs and CVCs never reach our servers or database.
Compliance posture (stated honestly)
- PCI DSS SAQ-A self-assessed (annual).Because card entry happens entirely in Stripe Elements, RecoverStack qualifies for the SAQ-A self-assessment, which we complete annually. This is a self-assessment, not a QSA audit, so we do not describe ourselves as "PCI certified."
- Our free Stripe audit tool is published on the Stripe App Marketplace. See the listing. Core recovery itself runs on the Stripe Connect platform: you authorize the exact scopes shown above via OAuth and can revoke anytime. (We are not enrolled in the separate Stripe Partner Ecosystem, so we do not claim a "Stripe Partner" badge.)
- Privacy by default, GDPR-aware. Our Privacy Policy, Cookie Policy, and Terms are live, and a DPA is available on request at [email protected]. We design for privacy and minimize the data we hold, but we have not completed a formal legal review, so we say "GDPR-aware," not "GDPR compliant."
You can revoke access any time
You stay in control. To revoke RecoverStack's access, open your Stripe Dashboard and go to Settings › Authorized Applications, find RecoverStack, and revoke. Access stops immediately.
30-day money-back guarantee
If RecoverStack isn't a fit in your first 30 days, email me and I'll refund you in full. No forms, no friction.
No connect required to start. The audit shows you the value before any deeper access decision.