rechurnBack to home

Data Processing Agreement

Last updated: March 10, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Rechurn ("Processor") and the customer ("Controller") for the use of the Rechurn payment recovery platform.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose

The Processor processes Personal Data on behalf of the Controller solely to provide the Rechurn payment recovery service, including:

  • Syncing customer and payment data from the Controller's Stripe account
  • Sending recovery emails to the Controller's customers
  • Generating AI-enhanced recovery email content
  • Tracking email delivery, opens, and clicks
  • Providing analytics and reporting dashboards

3. Categories of Data

  • Customer data: Names, email addresses, Stripe customer IDs
  • Subscription data: Plan names, statuses, MRR values
  • Payment data: Failed payment amounts, currencies, decline codes
  • Communication data: Email send timestamps, open/click events

4. Obligations of the Processor

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Not engage Sub-processors without prior written consent of the Controller.
  • Assist the Controller with data subject requests (access, rectification, erasure, portability).
  • Delete or return all Personal Data upon termination of the Service, at the Controller's choice.
  • Make available all information necessary to demonstrate compliance with this DPA.

5. Security Measures

  • Encryption of data in transit (TLS 1.2+)
  • Encryption of sensitive tokens at rest (AES-256-GCM)
  • Row Level Security (RLS) for multi-tenant data isolation
  • Regular security updates and dependency monitoring
  • Access control with role-based permissions

6. Sub-processors

The following Sub-processors are authorized:

  • Supabase Inc. — Database hosting, authentication (US/EU)
  • Stripe Inc. — Payment data source, billing (US/EU)
  • Resend Inc. — Email delivery (US)
  • Vercel Inc. — Application hosting (US/EU)
  • Groq Inc. — AI inference for email enhancement (US)

The Controller will be notified of changes to the Sub-processor list at least 30 days in advance.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories of data affected, estimated number of data subjects, and measures taken to mitigate the breach.

8. International Transfers

Where Personal Data is transferred outside the EEA, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

9. Duration and Termination

This DPA remains in effect for the duration of the Service agreement. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by applicable law.

10. Controller's Responsibilities

  • Ensure a valid legal basis exists for processing customer data.
  • Provide appropriate privacy notices to data subjects.
  • Ensure compliance with applicable data protection laws.
  • Not instruct the Processor to process data in violation of applicable law.

11. Contact

For DPA-related inquiries, contact us at support@rechurn.io.