1. Data We Collect
We collect information across four categories:
Account Data
When you create a LostChurn account, you provide us with your name, email address, company name, and billing information.
Transaction Data
When you connect your payment processor, we collect failed payment data including decline codes, transaction amounts, currency, subscription IDs, and customer identifiers (email, name, phone if provided by your PSP). We also store card metadata such as brand, last four digits, and expiry. We never store full card numbers.
Webhook Data
Raw webhook payloads received from Stripe and Braintree are temporarily stored for debugging and audit purposes. These payloads are retained for 30 days and then automatically deleted.
Usage Data
We automatically collect certain information when you use the LostChurn dashboard, including your IP address, browser type, and pages visited within the dashboard.
2. How We Use Your Data
- Provide failed payment recovery services, including retry orchestration, dunning communications, and analytics
- Generate recovery insights and recommendations
- Send service-related notifications such as recovery alerts and weekly digests
- Improve recovery algorithms using aggregated, anonymized data
- Send marketing communications about our products and services (you may opt out at any time)
privacy.s2legalTitle
privacy.s2legalIntro
- privacy.s2legalItem1Labelprivacy.s2legalItem1Text
- privacy.s2legalItem2Labelprivacy.s2legalItem2Text
- privacy.s2legalItem3Labelprivacy.s2legalItem3Text
- privacy.s2legalItem4Labelprivacy.s2legalItem4Text
3. Sub-Processors and Data Sharing
We do not sell personal data. We share data with the following service providers who perform services on our behalf:
| Sub-Processor | Purpose | Data Categories |
|---|---|---|
| SpacetimeDB (Clockwork Labs) | Database hosting | All service data |
| Cloudflare | Edge processing, CDN | Webhook payloads in transit |
| Stripe | Payment retry execution | Payment method tokens, amounts |
| Braintree (PayPal) | Payment retry execution | Payment method tokens, amounts |
| Twilio | Email, SMS, and WhatsApp delivery | Customer email, phone, name, payment amounts |
| Google (Gemini API) | Email personalization | Customer first name, decline code, amount (see Section 7) |
| Slack | Merchant notifications | Customer email, payment amounts (sent to merchant's workspace) |
| Clerk | Merchant authentication | Merchant email and session data only |
| privacy.subProc9Name | privacy.subProc9Purpose | privacy.subProc9Data |
We may also disclose your information if required by law, regulation, or legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of LostChurn, our users, or the public.
4. Data Retention
- Webhook logs: Raw webhook payloads are scheduled for deletion after 30 days. Actual deletion timing may vary based on system processing schedules.
- Account data: Retained for the duration of your subscription. On account deletion, data is removed within 30 days except where retention is required by law.
- Transaction data: Retained for the duration of your subscription plus 90 days for recovery reporting.
- LLM call logs: Only metadata (token counts, latency) is stored for cost tracking. Full prompts and responses are not stored.
- privacy.s4item5Labelprivacy.s4item5Text
5. Cookies and Tracking Technologies
- Essential cookies: Authentication session cookies managed by Clerk, required for dashboard access.
- Functional cookies: Used to remember your preferences and UI state.
We do not use analytics cookies, advertising cookies, or third-party tracking pixels.
Stripe.js loads on the customer payment update page (/pay/[slug]) only and is governed by Stripe's own privacy policy.
6. Your Rights Under GDPR
If you are a resident of the European Economic Area (EEA), you have the following data protection rights:
- The right to access your personal data
- The right to rectification of inaccurate data
- The right to erasure of your data
- The right to restriction of processing
- The right to data portability
- The right to object to processing
- The right to withdraw consent at any time
To exercise these rights, please contact our Data Protection Officer at dpo@lostchurn.com. We will respond to your request within 30 days.
7. AI and Machine Learning
We use Google's Gemini API to personalize dunning email content sent on your behalf to recover failed payments.
Data sent to Gemini: customer first name (or "Valued Customer" if unavailable), decline code, payment amount, currency, and brand tone settings.
Data not sent to Gemini: email addresses, phone numbers, full names, or any other directly identifying information.
LLM prompts and responses are not logged or stored. Only metadata such as token counts and cost is retained for billing and performance monitoring.
Aggregated, anonymized data may be used to improve recovery scoring models. No individual customer data is used for model training.
8. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights regarding your personal information:
- The right to know what personal information is collected, used, shared, or sold
- The right to delete personal information held by businesses
- The right to opt out of the sale of personal information (we do not sell personal data)
- The right to non-discrimination for exercising your CCPA rights
9. International Data Transfers
Your data may be transferred to and maintained on servers located in the United States. We use Standard Contractual Clauses (SCCs) approved by the European Commission where required to ensure adequate safeguards for international transfers.
All infrastructure providers, including SpacetimeDB and Cloudflare, are US-based with appropriate data protection safeguards in place.
10. Security
- All data encrypted in transit using TLS 1.3
- SAQ-A compliant — full card numbers never touch our servers. Card data is handled exclusively by Stripe and Braintree.
- Dashboard access secured via Clerk authentication with session management
- API keys and webhook secrets stored with encryption
- Rate limiting on webhook endpoints
No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.
11. Children's Privacy
Our service is not directed to anyone under the age of 18. We do not knowingly collect personally identifiable information from anyone under 18. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us so we can take steps to remove that information.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by sending a notice to the email address associated with your account.
The "Last updated" date at the top of this page reflects the most recent revision. You are advised to review this Privacy Policy periodically for any changes.
13. Contact Us / Data Protection Officer
For general privacy inquiries, please contact us at privacy@lostchurn.com.
Our Data Protection Officer (DPO) can be reached at dpo@lostchurn.com. The DPO is responsible for overseeing questions in relation to this Privacy Policy and can assist with any data subject access requests.
LostChurn, LLC — Oregon, United States