Data Processing Agreement

Last updated: April 5, 2026

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Terms of Service between RenewalRescue ("Processor") and the merchant using the service ("Controller").

To request a countersigned copy of this DPA, email support@renewalrescue.com with the subject line "DPA Request".

1. Definitions

"Personal Data", "Controller", "Processor", "Processing", and "Data Subject" have the meanings given in applicable data protection law, including the GDPR where applicable.

2. Subject matter and duration

RenewalRescue processes Personal Data on behalf of the Controller solely to provide the payment recovery service described in the Terms of Service. Processing continues for the duration of the Controller's use of the service and for the data retention period set out in clause 8.

3. Nature and purpose of processing

RenewalRescue processes Personal Data for the following purposes:

  • Sending payment recovery email notifications to the Controller's customers on the Controller's behalf.
  • Sending payment authentication (SCA / 3D Secure) email notifications.
  • Maintaining logs of sent notifications and recovery activity for audit and dispute resolution purposes.

RenewalRescue will not process Personal Data for any purpose other than those set out above without the Controller's prior written instruction.

4. Types of personal data and categories of data subjects

Types of personal data: name, email address, invoice amount and currency, payment failure reason, Stripe-hosted invoice URL.

Categories of data subjects: the Controller's customers who have active or recently failed subscription or invoice payments.

5. Controller obligations

The Controller warrants that:

  • It has a lawful basis under applicable law to transfer Personal Data to RenewalRescue for the purposes described above.
  • Its own privacy policy discloses to data subjects that third-party processors may be used to send payment recovery communications on the Controller's behalf.

6. Processor obligations

RenewalRescue agrees to:

  • Instructions: Process Personal Data only on the Controller's documented instructions as set out in this DPA and the Terms of Service.
  • Confidentiality: Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
  • Security: Implement appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
  • Sub-processors: Only engage sub-processors as listed in clause 7, and on terms that impose equivalent data protection obligations.
  • Data subject rights: Promptly notify the Controller of any data subject request received and provide reasonable assistance to enable the Controller to respond within required timeframes.
  • Data breach: Notify the Controller without undue delay upon becoming aware of a personal data breach affecting the Controller's data.
  • Audit: Provide the Controller with reasonable information necessary to demonstrate compliance with this DPA upon written request.

7. Sub-processors

The Controller provides general authorisation for RenewalRescue to engage sub-processors that support delivery of the service. RenewalRescue will notify the Controller of any intended changes to material named sub-processors and give the Controller the opportunity to object where required by applicable law.

The following named sub-processors are used for core processing: Stripe (payments and merchant account linking) and Resend (email delivery). Additional providers may be used for hosting, content delivery, and application monitoring; those are engaged under written terms that impose appropriate data protection obligations. A current list of named sub-processors is available on request at support@renewalrescue.com.

8. Retention and deletion

Personal Data is retained for up to 5 years from the date of the relevant transaction to comply with applicable financial recordkeeping obligations (including PSD2 and applicable tax law). After this period, Personal Data is automatically and permanently deleted.

Upon termination of the Controller's account, RenewalRescue will delete or anonymise Personal Data within 90 days, except where longer retention is required by applicable law.

9. Transfers outside the EEA

Where Personal Data is transferred outside the European Economic Area, RenewalRescue will ensure an adequate level of protection through appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission.

10. Governing law

This DPA is governed by the same law as the Terms of Service.

Contact

Questions about this DPA? Email us at support@renewalrescue.com.