Privacy Policy

Last updated: April 1, 2026

1. Overview

Rebounce ("we", "us", "our") respects your privacy. This policy explains what data we collect, how we use it, and your rights. Rebounce is a B2B payment recovery service — we process data on behalf of our customers (SaaS businesses) to recover their failed payments.

2. Data We Collect

From you (our customer):

  • Email address and company name (account registration)
  • Stripe account connection tokens (encrypted at rest)
  • Billing information (processed by Stripe, not stored by us)
  • Custom email templates and branding preferences

From your customers (end users):

  • Email address and name (from Stripe invoice data)
  • Failed payment details: amount, currency, failure reason
  • Subscription and invoice IDs (Stripe references)
  • Payment recovery status and dunning interaction history

We do NOT collect or store:

  • Credit card numbers or full payment credentials
  • Bank account details
  • Social security numbers or government IDs

3. How We Use Data

  • Detect and classify failed payments via Stripe webhooks
  • Send dunning email sequences to recover failed payments
  • Retry failed charges at optimal times via Stripe API
  • Display recovery analytics in your dashboard
  • Process your Rebounce subscription billing

4. Data Security

  • Stripe OAuth tokens encrypted at rest using AES-256-GCM
  • Encryption keys derived via scrypt from application secret
  • Payment update links use JWT tokens with 72-hour expiry
  • All data transmitted over HTTPS/TLS
  • Database protected by Supabase Row Level Security
  • Webhook endpoints verify Stripe cryptographic signatures
  • Rate limiting on all public endpoints

5. Third-Party Services

We share data with the following services, only as necessary to operate:

  • Stripe — payment processing and account connection
  • Supabase — database hosting (PostgreSQL)
  • Resend — transactional email delivery
  • Inngest — background job orchestration
  • Vercel — application hosting

6. Data Retention

We retain your data for the duration of your account. Failed payment records and dunning logs are kept while your account is active. When you delete your account, we delete your organization data, encrypted tokens, failed payment records, and dunning history. Anonymized aggregate statistics may be retained.

7. Your Rights

You have the right to:

  • Access your data (available via the dashboard)
  • Disconnect your Stripe account at any time
  • Delete your account and all associated data
  • Request a data export by contacting us

If you are in the EU/EEA, you also have rights under GDPR including the right to data portability and the right to lodge a complaint with a supervisory authority.

8. Cookies

We use essential cookies only (Supabase authentication session). We do not use tracking cookies, advertising cookies, or third-party analytics that track individual users.

9. Changes

We may update this policy from time to time. We will notify you of material changes via email. The "last updated" date above indicates when this policy was last revised.

10. Contact

For privacy-related questions, contact us at contato@rebounce.dev.