This Privacy Policy explains how RecurMend ("we," "us," or "our") collects, uses, discloses, and protects personal information. It covers two distinct audiences:
- Merchants — the subscription software businesses that sign up for RecurMend to recover failed payments from their own customers.
- End-customers — individuals who receive emails or SMS from RecurMend on behalf of a merchant whose product they use.
Where the practices differ between these two groups, the sections below say which group they apply to.
1. Information we collect
From merchants:
- Account details: name, business name, email address, hashed password, billing address.
- Payment information for RecurMend subscription fees, processed by Stripe. We do not store card numbers.
- Stripe-account connection details authorized via OAuth, so we can read invoices and customer records to execute recovery.
- Usage data: dashboard activity, feature usage, and logs kept for diagnostics and security.
About end-customers (received indirectly from merchants):
- Name and email address, from the merchant's Stripe records.
- Phone number, provided by the customer at the merchant's signup and passed to RecurMend solely to deliver transactional subscription notifications (failed-payment notices, card-update links).
- Invoice metadata: amount, currency, due date, failure reason. We do not receive full card numbers or authentication credentials.
- Interaction data: email opens, link clicks, SMS deliveries, card-update page visits.
We also use a small number of cookies to keep you signed in, protect against bots, and measure aggregate site usage — see our Cookie Notice for the full inventory and retention.
2. How we use information
- To deliver the service: send recovery emails and SMS on behalf of merchants, host secure card-update pages, and retry failed payments once a card is updated.
- To bill merchants for their RecurMend subscription.
- To monitor system health, prevent fraud and abuse, and improve the service.
- To comply with legal obligations and enforce our terms.
We do not sell personal information, and we do not use end-customer contact information for any purpose beyond the specific recovery sequence authorized by the merchant.
3. Who we share information with
We share information only with service providers that are necessary to operate RecurMend. Each is bound by contractual data-protection commitments:
| Provider | Purpose |
|---|---|
| Stripe | Billing, OAuth into merchant accounts, payment-method tokenization |
| Twilio | SMS delivery |
| Resend | Email delivery |
| OAuth sign-in for the merchant dashboard (optional) | |
| Railway | Application and database hosting |
| Cloudflare | DNS, CDN, and DDoS protection |
We do not share personal information with advertisers, data brokers, or any party for marketing purposes. We may disclose information when required by law (subpoena, court order) or to protect our rights, our users, or the public.
4. SMS-specific terms
The full SMS program (consent, opt-out, message frequency, sample messages, carrier disclosures) lives at SMS Program Terms & Consent. Each merchant's toll-free number is verified through Twilio's Compliance Embeddable; the platform-side architecture is documented at /integration/sms-compliance. Phone numbers collected for SMS are used solely for those transactional notifications and are never shared for marketing.
5. Data retention
- Merchant account data is retained for the life of the account plus up to 90 days after cancellation, then deleted or anonymized.
- End-customer contact data and interaction records are retained only as long as needed to complete the active recovery sequence, plus a reasonable audit period (typically up to 12 months).
- Financial records required by tax and accounting law are retained for the statutory period, typically 7 years.
6. Security
We use industry-standard protections: TLS in transit, AES-256 encryption at rest for sensitive fields, access controls, audit logging, and regular security review. No system is perfectly secure; if we learn of a breach affecting personal information, we will notify affected parties and regulators as the law requires.
7. Your rights
Depending on where you live, you may have rights to access, correct, delete, or export your personal information, and to object to certain processing.
- Merchants: use your dashboard account settings, or email privacy@recurmend.co.
- End-customers: contact the merchant whose product you use — they are the primary data controller for your information. You may also email us at privacy@recurmend.co and we'll work with the merchant to fulfill your request.
8. International users
RecurMend is operated from the United States. Personal information may be processed in the U.S. or other countries where our service providers operate. If you access the service from outside the U.S., you consent to this transfer. We support GDPR data-subject rights for users in the European Economic Area and equivalent rights under applicable state and national laws.
9. Children
RecurMend is a business-to-business service not directed at children under 13 (or 16 in the EEA). We do not knowingly collect personal information from children.
10. Changes to this policy
We may update this policy to reflect changes in our practices or for legal reasons. The "Last updated" date at the top shows when the current version took effect. Material changes are notified to merchants by email.
11. Contact
Questions about this policy or our privacy practices can be directed to privacy@recurmend.co.