Privacy Policy

Last updated: 21 April 2026

Recovr ("we", "us", "our") is committed to protecting the privacy of our merchants and their customers. This Privacy Policy explains what personal information we collect, how we use it, and your rights under the Protection of Personal Information Act (POPIA) and, where applicable, the General Data Protection Regulation (GDPR).

1. Who We Are

Recovr is a payment recovery service operated from Cape Town, South Africa. We help subscription businesses on Paystack recover revenue from failed payments through automated retries and email reminders.

For the purposes of POPIA:

When processing merchant data (your account information), we are the responsible party
When processing end-customer data (your customers' payment details), we are an operator acting on your behalf as the responsible party

2. What Data We Collect

2.1 From Merchants (You)

Data	Purpose	Legal Basis
Email address, name	Account creation, communication	Contract performance
Company name, branding settings	Branded dunning emails	Contract performance
Paystack secret key	API access for retries and data retrieval	Contract performance
Billing information	Invoicing for recovery fees	Contract performance

2.2 From Your Customers (via Paystack Webhooks)

Data	Purpose	Legal Basis
Email address, name	Sending dunning emails on your behalf	Legitimate interest / contract performance
Payment amount, currency	Recovery tracking and dashboard	Legitimate interest
Card authorisation token	Retrying failed charges via Paystack API	Contract performance
Decline reason / gateway response	Smart retry timing decisions	Legitimate interest
Subscription and plan codes	Linking payments to subscriptions	Contract performance

What we never collect or store:

Credit or debit card numbers
CVV codes or card PINs
Bank account numbers or login credentials
Customer passwords or authentication credentials
Any data beyond what Paystack sends in webhook events

3. How We Use Data

We use the data we collect exclusively to:

Send transactional emails to your customers about their failed payments
Retry failed charges using Paystack's Charge Authorization API
Display recovery metrics and analytics in your dashboard
Calculate and invoice our recovery fee
Improve our retry timing algorithms (using aggregated, anonymised data only)

We do not sell, rent, or share personal data with third parties for marketing purposes. We do not use customer data for any purpose other than payment recovery on your behalf.

4. Data Sharing

Recipient	Purpose	Data Shared
Paystack	Retrying charges, verifying webhooks	Authorisation tokens, amounts (via their API)
Resend (email provider)	Delivering dunning emails	Customer email address, email content
Supabase (database host)	Data storage	All data listed in Section 2, encrypted at rest
Vercel (hosting provider)	Application hosting	Server logs (IP addresses, request metadata)

All sub-processors are contractually bound to protect personal data and process it only on our instructions.

5. Data Security

Encryption at rest: Paystack secret keys and sensitive data are encrypted using AES-256 before storage
Encryption in transit: All data transmission uses TLS 1.2 or higher (HTTPS)
Access controls: Database access is restricted to application-level service accounts only
No card data: We never receive, process, or store credit/debit card numbers
Webhook verification: All incoming webhooks are verified using HMAC SHA-512 signatures before processing

6. Data Retention

Data Type	Retention Period
Active merchant account data	Duration of the account + 90 days
Failed payment records	12 months from creation, or account deletion + 90 days
Recovery attempt logs	12 months from creation
Paystack API keys	Deleted within 7 days of account disconnection
Invoicing records	5 years (South African tax requirement)

7. Transactional Emails

Recovr sends transactional emails to your customers regarding their failed subscription payments. These emails are sent on your behalf, branded with your company identity, and limited to payment recovery communications only. Under POPIA Section 69 and GDPR Recital 47, transactional communications related to the performance of a contract do not require separate direct marketing consent.

8. Your Rights (Merchants)

Under POPIA and GDPR, you have the right to access, correct, delete, or port your data, and to object to processing. Email privacy@recovr.co.za — we will respond within 30 days.

9. End-Customer Rights

If an end-customer contacts us with a data rights request, we will notify you within 48 hours and assist you in responding. If an end-customer requests to stop receiving dunning emails, we will exclude them from further sequences.

10. International Data Transfers

Our infrastructure providers (Supabase, Vercel, Resend) may process data outside South Africa. Where this occurs, we ensure adequate protection through standard contractual clauses and encryption of data in transit and at rest.

11. Cookies and Tracking

Our website uses only essential cookies required for authentication and session management. We do not use tracking, analytics, or advertising cookies.

12. Children's Privacy

Recovr is a business-to-business service and is not directed at individuals under the age of 18.

13. Changes to This Policy

We will notify merchants of material changes via email at least 14 days before they take effect.

14. Complaints

You may lodge a complaint with the Information Regulator of South Africa:

Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg
complaints.IR@justice.gov.za · 012 406 4818

15. Contact

Recovr
Cape Town, South Africa
privacy@recovr.co.za