Privacy Policy
Last updated: 11 June 2026
1. What Data We Collect
When you sign in with Google, we receive a limited set of profile information from Google (see Section 2). When you connect your Stripe account, we access:
- Invoice data (IDs, amounts, currency, dates, status)
- Failed-payment metadata (decline code, decline reason, card brand, card last 4 digits)
- Customer data (IDs, email addresses, names)
- Subscription metadata (plan names)
- Company profile (business name, website, support email)
On first connection, we run a one-time historical scan to identify failed invoices from the previous 90 days (up to 200 invoices) so the Service can begin recovering them. From that point on, we receive new failed-payment events from Stripe in real time via webhooks.
2. Google User Data
“Sign in with Google” is an optional way to create and access your RetryFi account. Signing in with Google is the only way RetryFi interacts with Google services, and we request only the minimum non-sensitive scopes needed to identify you: openid, email, and profile.
What we access. When you choose to sign in with Google, Google shares a limited set of your Google account profile information with us: your email address, your name, and your profile picture URL. We do not request or receive access to Gmail, Google Drive, Contacts, Calendar, or any other Google product or data.
How we use it. We use this information solely to authenticate you, create and secure your RetryFi account, identify you within the app, and send you account- and service-related communications. We do not use Google user data for advertising, and we do not use it to develop, improve, or train generalized or artificial intelligence / machine-learning models.
How we store it. Your name, email address, and profile picture URL are stored in our Supabase-hosted PostgreSQL database (described in Section 4) for as long as your account exists. We do not request offline access to your Google account and do not retain long-lived Google access or refresh tokens; your Google credentials are used only at the moment of sign-in to verify your identity.
How we share it. We never sell your Google user data and never share it with third parties for their own purposes. It is processed only by the infrastructure sub-processors listed in Section 7 that are necessary to operate the Service.
Deletion.You can revoke RetryFi's access at any time from your Google Account permissions page. When you delete your RetryFi account (see Section 6), the Google profile information we hold is permanently deleted.
RetryFi's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
3. What We Do Not Access
We never access, view, or store credit card numbers, bank account details, or sensitive financial credentials. All payment method updates happen directly on Stripe's PCI-compliant infrastructure.
4. How We Store Data
Your Stripe OAuth access tokens are encrypted using AES-256-GCM encryption at rest. Application data is stored in a PostgreSQL database hosted by Supabase with row-level security policies ensuring data isolation between accounts.
5. Emails We Send
RetryFi sends dunning emails to your customers on your behalf when their payments fail. These emails contain your company branding and a link to a Stripe-hosted Billing Portal session. We use Resend as our email provider; Resend hands the email off to the recipient's mail server and records delivery, bounce, and complaint events.
We process bounce and complaint events to maintain a per-merchant email suppression list, ensuring we never re-send to addresses that have hard-bounced or marked our emails as spam. Every dunning email includes a one-click unsubscribe link (signed with an HMAC token) and the standard List-Unsubscribe headers required by major mailbox providers.
6. Data Retention and Deletion
Your data is retained as long as your Stripe account is connected to RetryFi. When you disconnect — either from the RetryFi Settings page or by revoking RetryFi's access from your Stripe dashboard — all associated data (failed payments, recovery actions, customer email addresses, account metadata) is permanently deleted from our database immediately. There is no soft-delete or archival period.
7. Third-Party Services
We use the following third-party services:
- Supabase — Database and authentication
- Stripe — Payment processing and OAuth
- Google — Identity provider for sign-in (via OAuth) and webfont delivery (Google Fonts)
- Resend — Email delivery
- Inngest — Background job processing
- Upstash — Redis-backed rate limiting
- Vercel — Hosting and request routing
- Sentry — Error monitoring (error reports are scrubbed of personally identifiable information before being submitted)
- Slack — Optional outbound webhook destination if you configure one in Settings; we do not store any data on your behalf with Slack
- Umami — Privacy-focused, cookieless website analytics (see Section 8)
8. Website Analytics
We use Umami, a privacy-focused analytics service, to understand how visitors use our website. Umami runs in cookieless mode and does not store cookies or other identifiers in your browser. It collects aggregated, anonymized information including a hashed version of your IP address, browser type, operating system, referring page, and pages you visit on this site. This data is not used to personally identify you, build a cross-site profile, or sell to third parties.
We rely on legitimate interests as our lawful basis for this processing under UK GDPR. You can object at any time by emailing support@retryfi.com.
9. Operator
RetryFi is operated by Bubble Boy Productions Ltd, a company registered in England and Wales at 13 Mill Building, 49 Royal Crest Avenue, London, United Kingdom, E16 2ZZ.
10. Governing Law
This Privacy Policy is governed by the laws of England and Wales.
11. Contact
For privacy inquiries, contact us at support@retryfi.com.