Privacy Policy

1. Introduction

Recurcite ("we," "us," or "our") operates the Recurcite platform, a dispute and chargeback automation service for subscription SaaS merchants using Stripe Billing. This Privacy Policy describes how we collect, use, store, and protect information when you use our service.

2. Data We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and password (stored as a bcrypt hash). We never store plaintext passwords.

2.2 Stripe Data

When you connect your Stripe account via OAuth, we receive and store an access token and refresh token (encrypted at rest with AES-256-GCM). We fetch and store snapshots of the following Stripe objects related to disputes: disputes, charges, payment intents, invoices, subscriptions, and customer records. These snapshots are stored as JSON and scoped to your merchant account.

2.3 SDK Events

If you integrate our SDK, we receive events you explicitly send, including: terms/refund policy acceptance records (versioned), login timestamps with device type and IP address, high-level usage milestones (counts and timestamps only — no sensitive content), cancellation request and confirmation timestamps, and support interaction timelines. We do not collect sensitive user content, messages, or personal data beyond what you explicitly send.

2.4 Webhook Events

We receive and store Stripe webhook events related to disputes for your connected account. These are processed for case creation and evidence assembly.

3. How We Use Your Data

• Assemble evidence packets for dispute responses
• Generate dispute analytics and reporting for your account
• Submit dispute evidence to Stripe on your behalf
• Operate our rules engine for autopilot mode
• Maintain an audit log of all actions taken
• Improve our service and resolve technical issues

4. Data Retention

We retain dispute cases, evidence bundles, and audit logs for the duration of your account plus 12 months after account closure, or as required by applicable law. Stripe snapshots are retained for the lifetime of the associated dispute case. You may request deletion of your data by contacting us at privacy@recurcite.com.

5. Data Security

• Stripe OAuth tokens encrypted at rest with AES-256-GCM
• All data access scoped to merchant (multi-tenant isolation)
• Passwords hashed with bcrypt
• TLS encryption for all data in transit
• Immutable audit log for all system and user actions
• Rate limiting and secure headers on all endpoints

6. Subprocessors

We use the following third-party services to operate:

• Stripe — Payment processing, dispute APIs, OAuth
• Database hosting provider — PostgreSQL database
• Cloud hosting provider — Application hosting
• Sentry — Error monitoring (no PII transmitted)

7. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting privacy@recurcite.com. If you are located in the EEA, you have additional rights under GDPR including the right to data portability and the right to lodge a complaint with a supervisory authority.

8. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or by posting a notice on our website. Continued use of the service after changes constitutes acceptance.

9. Contact

For privacy-related inquiries, contact us at privacy@recurcite.com.