Privacy Policy

Last updated: 10 May 2026

1. What Data We Collect

When you sign in with Google, we receive your name and email address from Google. When you connect your Stripe account, we access:

• Invoice data (IDs, amounts, currency, dates, status)
• Failed-payment metadata (decline code, decline reason, card brand, card last 4 digits)
• Customer data (IDs, email addresses, names)
• Subscription metadata (plan names)
• Company profile (business name, website, support email)

On first connection, we run a one-time historical scan to identify failed invoices from the previous 90 days (up to 200 invoices) so the Service can begin recovering them. From that point on, we receive new failed-payment events from Stripe in real time via webhooks.

2. What We Do Not Access

We never access, view, or store credit card numbers, bank account details, or sensitive financial credentials. All payment method updates happen directly on Stripe's PCI-compliant infrastructure.

3. How We Store Data

Your Stripe OAuth access tokens are encrypted using AES-256-GCM encryption at rest. Application data is stored in a PostgreSQL database hosted by Supabase with row-level security policies ensuring data isolation between accounts.

4. Emails We Send

RetryFi sends dunning emails to your customers on your behalf when their payments fail. These emails contain your company branding and a link to a Stripe-hosted Billing Portal session. We use Resend as our email provider; Resend hands the email off to the recipient's mail server and records delivery, bounce, and complaint events.

We process bounce and complaint events to maintain a per-merchant email suppression list, ensuring we never re-send to addresses that have hard-bounced or marked our emails as spam. Every dunning email includes a one-click unsubscribe link (signed with an HMAC token) and the standard List-Unsubscribe headers required by major mailbox providers.

5. Data Retention and Deletion

Your data is retained as long as your Stripe account is connected to RetryFi. When you disconnect — either from the RetryFi Settings page or by revoking RetryFi's access from your Stripe dashboard — all associated data (failed payments, recovery actions, customer email addresses, account metadata) is permanently deleted from our database immediately. There is no soft-delete or archival period.

6. Third-Party Services

We use the following third-party services:

• Supabase — Database and authentication
• Stripe — Payment processing and OAuth
• Google — Identity provider for sign-in (via OAuth) and webfont delivery (Google Fonts)
• Resend — Email delivery
• Inngest — Background job processing
• Upstash — Redis-backed rate limiting
• Vercel — Hosting and request routing
• Sentry — Error monitoring (error reports are scrubbed of personally identifiable information before being submitted)
• Slack — Optional outbound webhook destination if you configure one in Settings; we do not store any data on your behalf with Slack
• Umami — Privacy-focused, cookieless website analytics (see Section 7)

7. Website Analytics

We use Umami, a privacy-focused analytics service, to understand how visitors use our website. Umami runs in cookieless mode and does not store cookies or other identifiers in your browser. It collects aggregated, anonymized information including a hashed version of your IP address, browser type, operating system, referring page, and pages you visit on this site. This data is not used to personally identify you, build a cross-site profile, or sell to third parties.

We rely on legitimate interests as our lawful basis for this processing under UK GDPR. You can object at any time by emailing support@retryfi.com.

8. Operator

RetryFi is operated by Bubble Boy Productions Ltd, a company registered in England and Wales at 13 Mill Building, 49 Royal Crest Avenue, London, United Kingdom, E16 2ZZ.

9. Governing Law

This Privacy Policy is governed by the laws of England and Wales.

10. Contact

For privacy inquiries, contact us at support@retryfi.com.