Privacy Policy

Effective date: April 12, 2026  ·  Last updated: April 12, 2026

RecoverIQ LLC ("RecoverIQ," "we," "us," or "our") operates the payment recovery platform at www.recoveriqapp.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Service as a merchant ("you"). It also describes how we process data about your customers on your behalf.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

1. Who We Are

RecoverIQ LLC is a Texas limited liability company. Our registered business address is available upon request at privacy@recoveriqapp.com. For all privacy-related inquiries, contact us at privacy@recoveriqapp.com.

2. Information We Collect

2a. Information you provide directly

• Account information: your name, email address, and company name when you sign up.
• Billing information: payment method details collected and stored by Stripe on our behalf. We do not store raw card numbers.
• Stripe authorization: when you connect your Stripe account via Stripe Connect, we receive and store a Stripe access token scoped to the permissions you authorize.
• Support communications: any messages you send to our support team, including name, email, and issue description.
• Settings and configuration: your choices around email templates, dunning strategies, notification preferences, and AI personalization settings.

2b. Information we receive from Stripe on your behalf

When you connect your Stripe account, RecoverIQ reads the following data from your Stripe account to provide the Service:

• Failed and past-due invoices (invoice ID, amount, currency, status, decline code)
• Customer records (customer ID, name, email address)
• Subscription records (subscription ID, plan/product name, status, billing dates)
• Payment method metadata (card brand, last four digits, expiration date — not full card numbers)
• Charge and payment intent records relevant to failed payment recovery

This data belongs to you and your customers. We process it solely to deliver the Service on your behalf. See Section 8 for details on how we use this data.

2c. Usage and technical data

• Log data: IP address, browser type, pages visited, time and date of requests. Collected automatically by our hosting infrastructure (Vercel).
• Session tokens: authentication tokens stored in secure HTTP-only cookies.

We currently do not deploy any third-party analytics, advertising pixels, or tracking tags on our marketing site or application. If this changes, we will update this Privacy Policy with at least 30 days' notice.

3. Use of AI and Automated Processing (Claude / Anthropic)

On Growth and Scale plans, RecoverIQ uses Anthropic's Claude (a large language model operated by Anthropic, PBC, a US company) to generate personalized copy for payment-recovery emails when AI personalization is enabled. Merchants may disable AI personalization at any time from the dashboard.

What we send to Anthropic when personalizing an email:

• The customer's display name (first name or full name, as stored in Stripe)
• Your company name
• The payment amount due
• The subscription or plan name
• The decline category (A–D: a classification of the failure type — e.g., "likely temporary" vs. "hard decline")
• The email sequence number (1 of 3, 2 of 3, or 3 of 3)
• The template type (e.g., soft decline, card problem, pre-dunning)
• The email HTML template (containing {{variable}} placeholders, not filled customer data)

What we do NOT send to Anthropic:

• Full customer email addresses
• Credit card numbers or bank account data
• Stripe API keys or access tokens
• Invoice IDs or Stripe-internal identifiers
• Any data from customers who have not triggered a recovery event

RecoverIQ does not use your data or your customers' data to train Anthropic's models. Anthropic's API terms prohibit training on customer data by default.

Caching: personalized email copy is cached in memory for up to one hour, keyed by decline category, template type, and sequence number — not by individual customer. This minimizes the number of data transfers to Anthropic.

Customers of RecoverIQ merchants who wish to opt out of having context about their payment failure used for AI-personalized email copy should contact the merchant directly. Merchants may also disable AI personalization globally from their RecoverIQ dashboard Settings page.

4. How We Use Your Information

• To provide the Service: classify declined payments, schedule and execute retries, send dunning emails on your behalf, generate recovery analytics.
• To communicate with you: send transactional emails (onboarding, recovery summaries, billing receipts, support responses) and product notifications.
• To improve the Service: analyze aggregate, de-identified usage patterns to improve retry timing models and template effectiveness. We do not sell or share individual merchant or customer data for this purpose.
• To process billing: manage your RecoverIQ subscription via Stripe.
• To comply with legal obligations: retain records as required by law and respond to lawful requests.

5. Subprocessors

We use the following third-party services to operate RecoverIQ. Each is bound by appropriate data protection obligations.

We will notify merchants at least 30 days in advance of adding a new subprocessor that handles personal data. An up-to-date subprocessor list is always available at this page.

6. Data Sharing and Disclosure

We do not sell your data or your customers' data. We share data only as follows:

• Subprocessors listed above — as described in Section 5, solely to provide the Service.
• Legal requirements — if required by law, court order, or to protect the rights, property, or safety of RecoverIQ, our merchants, or the public.
• Business transfer — in connection with a merger, acquisition, or sale of substantially all assets, with appropriate notice.
• With your consent — for any other purpose, only with your explicit permission.

7. Data Retention

• Active accounts: We retain merchant and customer data for as long as your account is active and as needed to provide the Service.
• Post-cancellation: After you cancel your RecoverIQ account, we retain your data for 30 days to allow for account reactivation. After 30 days, your data and your customers' data is permanently deleted from our systems, unless a longer retention period is required by law.
• Backups: Backups may retain data for up to an additional 30 days after deletion from live systems.
• Legal holds: Data subject to a legal hold may be retained longer as required.

8. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate data.
• Deletion: Request deletion of your personal data, subject to legal retention requirements.
• Portability: Request your data in a structured, machine-readable format.
• Opt-out of sale: We do not sell personal data. There is nothing to opt out of.
• Non-discrimination: We will not discriminate against you for exercising any privacy rights.

To exercise any of these rights, email privacy@recoveriqapp.com. We will respond within 45 days (CCPA) or 30 days (GDPR) of receiving your request.

California residents (CCPA/CPRA): You have the right to know what personal information we collect, to request deletion, to opt out of the sale or sharing of personal information (we do neither), and to non-discrimination. To submit a verifiable consumer request, email privacy@recoveriqapp.com.

9. International Data Transfers

RecoverIQ is based in the United States. All subprocessors listed in Section 5 are also US-based. If you are accessing the Service from the European Union, United Kingdom, or another jurisdiction with data transfer restrictions, please be aware that your data will be transferred to and processed in the United States.

If you require a Data Processing Addendum (DPA) for GDPR compliance, please contact us at privacy@recoveriqapp.com. We will provide one upon request.

10. Security

We implement industry-standard technical and organizational measures to protect your data, including:

• TLS/HTTPS encryption for all data in transit
• AES-256-GCM encryption for Stripe access tokens at rest
• Row-level security (RLS) policies enforcing tenant isolation in our database
• Strict access controls — only service-role credentials access production data
• Webhook signature verification on all incoming Stripe and third-party events

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at support@recoveriqapp.com.

11. Cookies

RecoverIQ uses strictly necessary session cookies to maintain your authenticated session. We do not use advertising cookies, third-party tracking cookies, or analytics cookies. You can disable cookies in your browser settings, but doing so will prevent you from logging in to the Service.

12. Children's Data

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If you believe a minor has provided us with personal information, contact us at privacy@recoveriqapp.com and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) at least 30 days before the change takes effect, and update the "Last updated" date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact Us

For any questions, requests, or concerns about this Privacy Policy or your personal data:

• Email: privacy@recoveriqapp.com
• General support: support@recoveriqapp.com
• Legal notices: legal@recoveriqapp.com
• Entity: RecoverIQ LLC, Texas, United States