Privacy Policy

Introduction

PayCircuit (“we,” “us,” or “our”) operates as a B2B SaaS dunning platform that helps subscription businesses recover failed payments. This Privacy Policy explains how we collect, use, disclose, and otherwise handle your information when you use our services.

We are committed to protecting your privacy and maintaining transparency about our data practices. This policy is GDPR-compliant and reflects our status as an EU-first platform.

1. Information We Collect

1.1 Organization Data

When you sign up for PayCircuit, we collect the following information about your organization:

• Company name and billing address
• Email address and contact information
• Stripe account ID (connected via OAuth)
• Payment and subscription plan information
• Branding preferences and customization settings
• Configuration settings for retry logic and notification templates

1.2 Failed Payment Metadata

When you connect your Stripe account, we collect and process metadata about failed payment events:

• Invoice ID and customer ID (from Stripe)
• Payment amount and currency
• Decline code and failure reason
• Subscription ID and billing cycle information
• Timestamp of the failure event
• Customer locale/timezone (for optimal retry timing)

1.3 What We Do NOT Store

For your security and compliance, we explicitly do NOT store:

• Credit card numbers or card data
• Full names of end customers (only Stripe customer IDs)
• Email addresses of end customers (stored by Stripe, not by us)
• Passwords or API keys

All card input is handled directly by Stripe Elements; we never process or access raw card data.

1.4 Interaction & Analytics Data

When you use our dashboard, we may collect:

• IP address and browser type
• Pages visited and time spent
• Links clicked in email and SMS messages
• Device information for mobile optimization

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To monitor failed payments, schedule smart retries, and send automated recovery notifications.
• Analytics & Reporting: To calculate recovery rates, ROI, and provide you with your dashboard metrics.
• Automation: To time retries based on decline code, payday patterns, and customer timezone.
• Communication: To send you transactional emails about your account, service updates, and billing.
• Compliance: To fulfill legal obligations and resolve disputes.
• Improvement: To improve our service, fix bugs, and develop new features (using anonymized data).

3. How We Share Your Data

3.1 Third-Party Service Providers

We only share necessary data with trusted service providers that help us operate:

• Stripe: Connected via OAuth. We access only the payment event data you authorize.
• Resend: Our email provider (GDPR-compliant, EU-based). We send transactional emails on your behalf.
• Twilio/MessageBird: Our SMS provider for SMS notifications (when enabled).
• Database Providers: Neon or Supabase (EU-hosted PostgreSQL, SOC2-compliant).
• Error & Log Monitoring: Sentry and Axiom for security and performance monitoring.

All service providers are bound by Data Processing Agreements (DPAs) and must comply with GDPR.

3.2 We Do NOT Share For Marketing

We never sell your data or share it with advertisers, marketing partners, or any third party for commercial purposes unrelated to operating our service.

3.3 Legal Requirement or Protection

We may disclose your information if required by law, court order, or when we believe in good faith that disclosure is necessary to protect our legal rights or yours.

4. Data Storage & Retention

4.1 Where Your Data Is Stored

PayCircuit is EU-first. All customer data is stored in EU data centers:

• Primary database: Neon (EU region) or Supabase (EU servers)
• Email queue: Resend (EU-based)
• All infrastructure: EU-only, no data egress to the US

4.2 How Long We Keep Your Data

We retain your data as follows:

• Active Account: While your organization account is active, we retain all necessary data to operate our service.
• After Account Deletion: We retain metadata for 90 days for audit and compliance purposes, then permanently delete all personal and transactional data.
• Aggregated/Anonymized Data: We may retain anonymized aggregate analytics indefinitely for trend analysis.

4.3 Security

We implement industry-standard security measures to protect your data:

• Encryption in transit (TLS 1.2+) and at rest
• OAuth-based authentication (no passwords stored)
• Webhook signature verification for Stripe events
• Regular security audits and penetration testing
• No direct access to card or sensitive customer data

5. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

5.1 Right of Access

You have the right to request a copy of all personal data we hold about your organization.

5.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal data.

5.3 Right to Erasure (Right to be Forgotten)

You have the right to request deletion of your data, subject to legal retention obligations. We will delete your account data within 30 days of your request, with a 90-day backup retention period.

5.4 Right to Data Portability

You have the right to request your data in a structured, commonly used format (e.g., JSON, CSV) and to transmit it to another service provider.

5.5 Right to Restrict Processing

You have the right to restrict how we process your data in certain circumstances.

5.6 Right to Object

You have the right to object to certain types of processing, including marketing communications.

5.7 How to Exercise Your Rights

To exercise any of these rights, email us at hello@paycircuit.eu with your request. We will respond within 30 days (or as required by law).

6. Cookies & Tracking

PayCircuit uses minimal cookies:

• Essential Cookies: For authentication and session management.
• Analytics Cookies: To understand how our service is used (optional, can be declined).

We do not use third-party advertising cookies or cross-site tracking.

7. Data Processing Agreement (DPA)

As a B2B service, PayCircuit acts as a data processor on behalf of your organization. A signed Data Processing Agreement is available upon request. It covers:

• Scope of processing (failed payment metadata)
• Duration and subject matter
• Data subjects (your customers)
• Types of personal data
• Our obligations as a processor
• Sub-processor arrangements

Contact hello@paycircuit.eu to request a DPA.

8. International Data Transfers

PayCircuit operates primarily in the EU. Our servers, databases, and service providers are all EU-based. We do not transfer personal data outside the EU/EEA except where necessary for service delivery, in which case we rely on appropriate safeguards (e.g., Standard Contractual Clauses).

9. Privacy Officer & Data Protection Authority

For privacy-related inquiries or to exercise your data rights:

• Email: hello@paycircuit.eu
• Response Time: 30 days (as per GDPR)

If you believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority (DPA). For EU residents, you can contact your national DPA or the Irish Data Protection Commission (our primary regulator).

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email or a prominent notice on our website. Your continued use of PayCircuit after changes constitute your acceptance of the updated policy.