Privacy Policy

1. Information We Collect

a. Information You Provide

• Account details (name, email address, company name)
• Support communications and inquiries
• Billing contact information (note: payment data is processed directly by Stripe and is not stored by Recurr)

b. Information Collected Automatically

• Usage and event data (pages viewed, actions taken, timestamps)
• Technical information (IP address, browser type, device information)
• Referral and campaign metadata (where provided via integrations)

c. Customer End-User Data

When Recurr is used by our customers to operate subscription funnels, we may process limited end-user data on their behalf (for example, email address, subscription state, onboarding metadata, and purchase-related events). In these cases, Recurr generally acts as a data processor and our customer acts as the data controller. The Data Processing Agreement governing this relationship is built into Section 7 of our Master Service Agreement; a separately signable DPA is available on customer request.

2. How We Use Information

We use personal information to:

• Provide, operate, maintain, and improve the Recurr platform
• Authenticate users and manage accounts
• Process subscriptions and orchestrate onboarding flows
• Monitor performance, reliability, fraud prevention, and security
• Send service updates, technical notices, and support communications
• Comply with legal and regulatory obligations

We do not sell personal information.

3. Legal Bases for Processing (GDPR)

Where applicable, we process personal data under one or more of the following legal bases:

• Performance of a contract
• Legitimate interests (platform operation, analytics, and security)
• Compliance with legal obligations
• Consent, where explicitly obtained

4. Information Sharing

We may share personal information with third parties only as necessary to operate the service, comply with the law, or protect our rights. We may share information:

• With service providers and subprocessors who support our operations (e.g. hosting, email delivery)
• With Stripe for payment processing (Recurr does not store card data)
• When required by law, legal process, or lawful requests
• To protect the rights, safety, and security of Recurr, our users, or others
• In connection with a merger, acquisition, or sale of assets

A current list of subprocessors is published at our security page with 30-day change notification per the Data Processing Agreement.

5. International Data Transfers

Recurr operates globally. Your personal information may be transferred to and processed in countries outside your jurisdiction. Where required, we rely on appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

6. Data Retention

We retain personal information only for as long as necessary to provide the service, meet legal, accounting, and compliance obligations, resolve disputes, and enforce agreements. Typical retention windows:

• Prospect / lead data: up to 24 months from last interaction
• Customer account data: 7 years from contract termination (legal and accounting retention)
• Customer end-user (subscriber) data: per contractual obligations with the customer — typically deleted within 14 days of the customer’s contract with Recurr ending, at the customer’s election (per MSA Section 7)
• Operational and audit logs: 12 months from event
• Backups: up to 14 days (Supabase managed backups)

7. Data Security

We implement appropriate technical and organisational measures designed to protect personal information, including access controls, TLS 1.2+ in transit, AES-256 encryption at rest, audit logging, and secure infrastructure practices. However, no method of transmission over the Internet or electronic storage is 100% secure. See our security page for our current posture.

8. Your Rights

Depending on your location, you may have the right to:

• Access and receive a copy of your personal data
• Rectify inaccurate or incomplete personal data
• Request deletion of your personal data
• Object to or restrict processing of your personal data
• Request portability of your personal data where applicable

Australian residents have rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, including the right to access and correct personal information held about them. European residents have rights under the GDPR; California residents under the CCPA. To exercise these rights, contact us using the details below.

If we process data on behalf of a customer (as a processor), we may direct you to the relevant customer (the controller) to action the request, and will cooperate as needed.

9. Cookies and Tracking

We use cookies and similar tracking technologies for authentication, analytics, and platform functionality. You can configure your browser to refuse cookies or alert you when cookies are being sent. Some features may not function properly without cookies.

10. AI and Automated Processing

Recurr uses AI tools (including Anthropic Claude and OpenAI) for internal engineering tasks (code review, debugging, content drafting) and operational work. We do not:

• Send end-subscriber personal information to AI tools
• Use AI to make automated decisions about your subscribers without human review
• Share customer-tenant data with AI providers beyond what is necessary for a specific operational task

Where AI tools are used internally, they are governed by their published privacy terms — see the sub-processor list on our security page. Recurr-side data sent to AI tools is anonymized or scoped to the minimum necessary.

If your engagement requires explicit AI-subprocessor opt-out or restrictions, raise it during the Migration Review and we will document the constraints in the Statement of Work.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and revise the “Last updated” date above.

12. Contact Us

If you have any questions about this Privacy Policy, or want to make a privacy-related request, contact us at privacy@recurr.dev.