HomePrivacy Policy

Privacy Policy

Effective March 17, 2026 · Last updated March 17, 2026

DunningKit is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how you can control it.

GDPR Compliant CCPA Compliant No data selling

1. Overview

DunningKit (“we,” “our,” “us”) is a Stripe churn recovery platform. We provide automated payment retry, AI-generated recovery emails, and analytics services to SaaS businesses (“Customers”).

This Privacy Policy applies to all information we process about (a) Customers who create a DunningKit account, and (b) the end-users of our Customers (“End Users”) whose data we handle as a data processor on behalf of our Customers. Where applicable, we identify which type of data subject each section addresses.

By using DunningKit, you agree to the collection and use of information in accordance with this policy.

2. Data We Collect

2.1 Account Data (Customers)

When you create a DunningKit account, we collect:

  • Identity data: first name, last name, email address (via Clerk authentication)
  • Authentication data: managed by Clerk; we store only the Clerk User ID
  • Billing data: Stripe Customer ID and subscription ID; we never store full card numbers
  • Brand preferences: business name, logo URL, brand color, brand tone, brand description
  • Notification preferences: email alerts and Slack webhook settings
  • SMTP credentials: if you configure custom outbound email, SMTP credentials are encrypted with AES-256-GCM at rest

2.2 Stripe Payment Data (End Users of Customers)

When you connect your Stripe account, DunningKit receives data from Stripe via webhooks and the Stripe API on your behalf:

  • Failed invoice details: invoice ID, amount, currency, failure reason, failure code
  • Customer information: Stripe Customer ID, customer email, customer name, subscription plan
  • Payment attempt history: retry timestamps, outcomes, decline types
  • Stripe access tokens: encrypted with AES-256-GCM, never stored in plain text

We act as a data processor for this data. Our Customers are the data controllers responsible for their end-users’ data. We process it only to provide the service described in your account.

2.3 Usage & Technical Data

  • IP address (logged by Vercel infrastructure, not stored in our database)
  • Browser type and version (standard server logs)
  • Pages visited within the dashboard and timestamps
  • API request logs for error diagnosis (anonymized after 30 days)
  • Google Analytics 4 events (anonymized, with IP anonymization enabled) — see Section 8

2.4 AI Processing Data

When you use AI email generation, DunningKit sends the following to Google Gemini API:

  • Customer first name and plan name from Stripe
  • Failure reason and decline type
  • Your brand name and tone preferences

We do not send your customers’ email addresses, full names, or any payment card information to the AI service.

3. How We Use Your Data

We use collected data for the following purposes:

  • Service delivery: detecting failed payments, scheduling retries, sending recovery emails, generating hosted payment links
  • AI features: generating personalized recovery email content via Google Gemini
  • Analytics: providing you with recovery rate dashboards, trend charts, and export reports
  • Communications: sending recovery email sequences to your customers on your behalf; sending transactional account notifications (receipts, alerts) to you
  • Security: detecting fraud, abuse, and unauthorized access
  • Legal compliance: complying with applicable laws, tax obligations, and responding to lawful requests
  • Product improvement: analyzing aggregated, anonymized usage patterns to improve the platform — we never use individual customer data for this

We do not use your data for advertising, sell it to third parties, or use individual customer records for model training.

4. Third-Party Services

DunningKit relies on the following sub-processors to deliver the service:

Clerk

United States

Authentication and user session management

Stores identity data on our behalf

Privacy policy →

Stripe

United States / Ireland

Payment processing and Stripe Connect for OAuth

We access your Stripe account via OAuth on your behalf

Privacy policy →

Google Gemini API

United States

AI-generated recovery email content

Receives minimal pseudonymized data; no PII

Privacy policy →

Resend

United States

Transactional email delivery

Receives recipient email, subject, and body for delivery

Privacy policy →

Neon (Neondatabase, Inc.)

United States (AWS us-east-1)

PostgreSQL database hosting

All data is encrypted at rest

Privacy policy →

Vercel, Inc.

United States

Application hosting and CDN

Server logs may contain IP addresses; not stored by us

Privacy policy →

Google Analytics 4

United States

Aggregated usage analytics for marketing pages

IP anonymization enabled; you can opt out via browser settings

Privacy policy →

5. Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We disclose data only in these limited circumstances:

  • Sub-processors: as listed in Section 4, solely to deliver the contracted service
  • Legal requirements: when required by applicable law, regulation, court order, or governmental authority
  • Safety: to protect the rights, property, or safety of DunningKit, our customers, or others
  • Business transfers: in the event of a merger, acquisition, or sale of assets, data may be transferred to the successor entity under the same privacy obligations
  • With your consent: for any other purpose you explicitly authorize

6. Data Retention

  • Account data: retained for the duration of your account. After deletion, account data is purged within 90 days except where legally required (e.g., billing records).
  • Payment records: failed payment records are retained for 2 years for audit purposes, then permanently deleted. Archived records (payments older than 90 days) are kept in a lightweight cold-storage copy.
  • Email logs: email send records are retained for 12 months, then deleted.
  • Server logs: application logs are retained for 30 days, then automatically purged.
  • Billing receipts: retained for 7 years to comply with tax and accounting obligations.
  • GDPR erasure requests: completed within 30 days. Certain records may be retained if required by law.

You can request deletion of your account and associated data at any time via Settings → Account → Delete Account or by emailing privacy@dunningkit.com.

7. Security

We implement industry-standard security measures to protect your data:

  • Encryption at rest: Stripe access tokens and SMTP credentials use AES-256-GCM encryption
  • Encryption in transit: all data is transmitted over TLS 1.2+ (HTTPS enforced)
  • Authentication: managed by Clerk with session token expiry and secure cookie flags
  • Payment links: secured with HMAC-SHA256 signed tokens (30-day expiry)
  • Database: Neon PostgreSQL with network isolation, encrypted at rest
  • Least-privilege access: internal database access scoped to individual workspace data
  • PCI DSS SAQ A: card data is handled exclusively by Stripe’s PCI-certified infrastructure — we never store or transmit card numbers

Despite our measures, no system is 100% secure. If you discover a vulnerability, please report it responsibly to security@dunningkit.com.

8. Cookies & Tracking

DunningKit uses a minimal set of cookies:

CookieTypePurposeExpiry
__sessionEssentialClerk authentication session tokenSession / 1 year
__client_uatEssentialClerk client session managementSession
_ga, _ga_*AnalyticsGoogle Analytics 4 — aggregated page analytics (anonymized)2 years

We do not use advertising cookies, cross-site tracking, or fingerprinting. You can disable analytics cookies through your browser settings or a browser extension. Essential cookies cannot be disabled without breaking authentication.

9. Your Rights (GDPR & CCPA)

If you are in the European Economic Area, United Kingdom, or California, you have the following rights:

Right of Access

Request a copy of all personal data we hold about you

Right to Rectification

Correct inaccurate or incomplete data

Right to Erasure

Request deletion of your data (“right to be forgotten”)

Right to Portability

Receive your data in a machine-readable format (JSON or CSV)

Right to Restriction

Limit how we process your data while a dispute is resolved

Right to Object

Object to processing based on legitimate interests

Right to Withdraw Consent

Where processing is based on consent, withdraw it at any time

CCPA Opt-Out

California residents can opt out of data selling (we don’t sell data)

To exercise any of these rights, email privacy@dunningkit.com with subject line “Privacy Rights Request.” We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, your national DPA in the EU).

Our legal basis for processing Customer data is contract performance (to deliver the service). For analytics and product improvement, our basis is legitimate interest, which you can object to at any time.

10. Children’s Privacy

DunningKit is a B2B SaaS platform not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, contact us immediately at privacy@dunningkit.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Send an email notification to the account owner at least 14 days before the change takes effect
  • Show an in-app banner on your next login

Your continued use of DunningKit after the effective date constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related inquiries, erasure requests, or data access requests:

DunningKit

privacy@dunningkit.com

We aim to respond to all privacy requests within 5 business days and will resolve them within 30 days as required by GDPR.