Security & Trust

What RecoverStack can and can't do with your Stripe account

You're connecting a payment account to a tool built by a solo founder. That deserves straight answers, not badges. Here is exactly how your data is handled, what access RecoverStack requests, and what it can never do.

Yarin Goldstein

Built and run by Yarin Goldstein

Solo founder, RecoverStack. Tel Aviv, Israel.

Connect on LinkedIn

A real person is accountable for this product. If something looks wrong, email me directly at [email protected].

Read-only by design

RecoverStack requests read access plus the ability to run the retries you configure. It cannot move money or change your account.

What it can doWhat it can never do
Read your charges, invoices, and subscriptionsCreate, modify, or refund any charge
Read the decline code on a failed paymentSee full card numbers, CVCs, or expiry dates
Read customer email + metadata to send recovery emailsCreate or delete customers on your account
Read your payout schedule for retry timingMove, pause, or touch your payouts
Run retries on the schedule you configureChange any of your Stripe account settings

In plain terms: RecoverStack never refunds, never creates charges, never touches your payouts, and never sees card numbers. What it actually does is run retries on the schedule you set and send dunning (recovery) emails when a payment fails.

Card data never touches our servers

When a customer updates a card, they do it inside Stripe's own hosted Elements iframe. The card number, CVC, and expiry go straight from the browser to Stripe. RecoverStack only ever sees the card brand, last four digits, and expiry month that Stripe returns. PANs and CVCs never reach our servers or database.

Compliance posture (stated honestly)

  • PCI DSS SAQ-A self-assessed (annual).Because card entry happens entirely in Stripe Elements, RecoverStack qualifies for the SAQ-A self-assessment, which we complete annually. This is a self-assessment, not a QSA audit, so we do not describe ourselves as "PCI certified."
  • Our free Stripe audit tool is published on the Stripe App Marketplace. See the listing. Core recovery itself runs on the Stripe Connect platform: you authorize the exact scopes shown above via OAuth and can revoke anytime. (We are not enrolled in the separate Stripe Partner Ecosystem, so we do not claim a "Stripe Partner" badge.)
  • Privacy by default, GDPR-aware. Our Privacy Policy, Cookie Policy, and Terms are live, and a DPA is available on request at [email protected]. We design for privacy and minimize the data we hold, but we have not completed a formal legal review, so we say "GDPR-aware," not "GDPR compliant."

You can revoke access any time

You stay in control. To revoke RecoverStack's access, open your Stripe Dashboard and go to Settings › Authorized Applications, find RecoverStack, and revoke. Access stops immediately.

30-day money-back guarantee

If RecoverStack isn't a fit in your first 30 days, email me and I'll refund you in full. No forms, no friction.

Start with a free, read-only audit

No connect required to start. The audit shows you the value before any deeper access decision.