Privacy Policy

Last updated: March 28, 2026

1. Introduction

Welcome to RetainFlow, Inc. (“RetainFlow”, “we”, “our”, “us”). We provide a dunning and revenue recovery platform that helps businesses reduce churn, recover failed payments, and manage subscription lifecycle communications (the “Service”).

This Privacy Policy explains how we collect, use, and protect information when you and your customers interact with our Service.

2. Scope of This Policy

This policy applies to:

  • Customers (you) — businesses using our platform
  • End users — your customers whose data you process through our Service

We act as:

  • Data controller for our own business data
  • Data processor for data you upload or sync into our platform

3. Information We Collect

a) Account and business information

  • Name
  • Email address
  • Company name
  • Billing details
  • Login credentials

b) Subscription and billing data

(Collected via integrations such as payment processors)

  • Subscription status (active, canceled, past due)
  • Transaction history
  • Payment failure events
  • Invoice data
  • Plan details

Important: We do not store full credit card numbers or sensitive payment credentials. These are handled by secure payment processors (for example, Stripe).

c) End-user (customer) data

Provided by you via integrations:

  • Customer name and email
  • Subscription activity
  • Payment status
  • Communication logs (emails sent, opened, clicked)

d) Communication data

  • Emails sent via our dunning system
  • Engagement metrics (open rates, clicks)
  • Message templates and customization

e) Usage and technical data

  • IP address
  • Browser and device information
  • Platform activity logs
  • Feature usage patterns

4. How We Use Information

We use data to:

Core service functionality

  • Detect failed payments and trigger recovery workflows
  • Send automated dunning emails and notifications
  • Retry failed transactions (via integrations)
  • Provide analytics on churn and recovery

Platform improvement

  • Improve deliverability and email performance
  • Optimize recovery strategies
  • Debug issues and monitor performance

Communication

  • Send service updates and alerts
  • Provide customer support

Security and compliance

  • Prevent fraud and abuse
  • Enforce terms and ensure lawful use

5. How We Share Information

We never sell personal data.

We may share data with:

a) Infrastructure and service providers

  • Cloud hosting (for example, AWS, GCP)
  • Email delivery providers (for example, SendGrid, Postmark)
  • Analytics tools

b) Payment processors

Stripe or similar providers (for billing events and retries).

c) Integrations

Only when you enable them (for example, CRM, analytics, support tools).

d) Legal requirements

If required by law, regulation, or legal process.

A current list of key subprocessors is available on our Subprocessors page.

6. Data Retention

We retain data:

  • As long as your account is active
  • As needed to provide the Service
  • As required for legal, tax, or compliance purposes

You may request deletion of your data at any time (see “Your Rights” below).

7. Data Security

We implement safeguards including:

  • Encryption in transit (HTTPS / TLS)
  • Role-based access controls
  • Secure infrastructure and monitoring
  • Limited internal access to sensitive data

No system is completely secure.

8. Your Responsibilities

As a customer, you are responsible for ensuring you have the legal right to process your customers’ data, complying with applicable laws (including GDPR and CAN-SPAM where they apply), and managing consent and communication preferences. We process such data on your instructions.

9. Email and Communication Compliance

Our platform enables automated customer communication. You agree to send lawful and non-spam communications, include proper identification and opt-out mechanisms, and respect unsubscribe requests. We may suspend accounts that violate these rules.

10. International Data Transfers

Your data may be processed in countries outside your jurisdiction. We use safeguards such as standard contractual clauses and trusted infrastructure providers where appropriate.

11. Your Rights

Depending on your location, you may have the right to access, correct, delete, restrict, or object to certain processing. End users should contact the business (our customer) directly for requests relating to their data.

To exercise rights relating to data we hold as controller about you, contact privacy@retainflow.com.

12. Cookies and Tracking

We use cookies to authenticate users, track usage and performance, and improve experience. You can control cookies via your browser.

13. Third-Party Services

Our Service integrates with third-party platforms. Their data handling is governed by their own privacy policies.

14. Children’s Privacy

Our Service is not intended for children under 13 (or the equivalent age in your jurisdiction). We do not knowingly collect data from children.

15. Changes to This Policy

We may update this policy periodically. We will notify you via website updates and, if changes are significant, by email where appropriate.

16. GDPR Compliance (EEA, UK, and Switzerland)

If you are in the European Economic Area, United Kingdom, or Switzerland, this section applies.

Legal basis for processing

  • Contractual necessity — to provide our Service
  • Legitimate interests — improving our platform, fraud prevention, analytics
  • Consent — for marketing communications where required
  • Legal obligations — compliance with applicable laws

Data subject rights

You may have the right to access, correct, delete, restrict or object to processing, data portability, and to withdraw consent. Contact privacy@retainflow.com to exercise these rights.

Role of the parties

You (our customer) are typically the data controller for your end users’ data. We act as a data processor and process personal data based on your instructions for the Service.

Data transfers outside the EU

Where data is transferred outside the EEA, we rely on safeguards such as Standard Contractual Clauses (SCCs) and providers with appropriate safeguards.

Data protection contact

privacy@retainflow.com

17. Email Communications and Compliance

Our platform enables automated communication with your customers (including dunning emails). By using our Service, you agree to the following.

Lawful use

You will send communications only where you have appropriate consent or another lawful basis (such as legitimate interest under GDPR where applicable).

Required email practices

Emails sent through our platform must:

  • Clearly identify the sender (your business)
  • Use accurate subject lines (no misleading content)
  • Include a valid physical mailing address where required by law
  • Include a visible and functional unsubscribe mechanism

Unsubscribe and opt-out

You must honor unsubscribe requests promptly. You may not re-subscribe users without proper consent.

Prohibited use

You may not use our Service to send spam, violate CAN-SPAM, GDPR, or other laws, or send abusive, deceptive, or fraudulent communications.

Enforcement

We may monitor email activity for compliance and suspend or terminate accounts that violate these rules.