Privacy Policy

Last updated: April 14, 2026

1. Introduction

SaveMRR ("we," "us," or "our") operates the SaveMRR platform and website (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. This policy is compliant with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). By accessing the Service, you agree to the collection and use of information as described in this policy.

2. Information We Collect

Account Information: When you create an account, we collect your name, email address, and payment information (processed securely through Polar.sh, our payment processor).

Stripe Integration Data: When you connect your Stripe account via a restricted API key, we access subscription data, customer data, invoice data, and revenue metrics necessary to provide our retention and churn prevention services. Your Stripe API key is AES-256 encrypted at rest and never stored in plain text or logs. We never access your Stripe password, payouts, transfers, bank details, or full payment card numbers.

Usage Data: We automatically collect information about how you interact with the Service, including pages visited, features used, browser type, IP address, and device information.

Chat Data: If you use our website chat, we store your conversation, email (if provided), IP address, and browser user-agent to improve support, prevent abuse, and follow up on inquiries. IP address is processed on the basis of legitimate interest for security purposes and is automatically purged after 48 hours.

Cookies: We use essential cookies required for Service functionality (session authentication) and optional analytics cookies (Google Tag Manager) to improve our product. Analytics cookies are only loaded after you consent. You can withdraw consent at any time via the cookie banner or your browser settings.

3. Lawful Basis for Processing (GDPR)

Under the GDPR, we process your personal data on the following legal bases:

  • Contract Performance: Processing necessary to provide the Service you signed up for (account management, Stripe data analysis, retention engines).
  • Legitimate Interest: Service improvement, security monitoring, and fraud prevention.
  • Consent: Analytics cookies and marketing communications. You may withdraw consent at any time.
  • Legal Obligation: Where required by applicable law (tax records, regulatory compliance).

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service
  • Analyze your Stripe data to generate revenue diagnostics and churn prevention recommendations
  • Send dunning emails, win back emails, and engagement emails on your behalf to your customers
  • Process transactions and send related information
  • Send service-related communications, updates, and security alerts
  • Respond to your inquiries and provide customer support
  • Monitor usage patterns to improve functionality and user experience

5. Data Sharing & Sub-processors

We do not sell, trade, or rent your personal information to third parties. We share data only with the following sub-processors, bound by data processing agreements:

  • Railway (US): Infrastructure hosting for our API and database.
  • Vercel (US): Hosting for our dashboard and landing page.
  • Resend (US): Transactional email delivery on your behalf.
  • Polar.sh (EU): Subscription billing and payment processing.
  • Anthropic (US): AI-powered insights (churn analysis, chat support). No personal data is used for model training.
  • Upstash / Redis (US): Rate limiting and job queue processing.
  • Twilio (US): SMS delivery for optional SMS notifications. Only used if you configure an SMS provider in settings.

We may also disclose information when required by law, regulation, legal process, or governmental request, or in connection with a business transfer (merger, acquisition, or sale of assets).

6. Data Security

We implement the following security measures:

  • AES-256 encryption for Stripe API keys at rest
  • TLS/SSL encryption for all data in transit
  • Parameterized database queries (SQL injection prevention)
  • Redis-backed rate limiting on all API endpoints
  • Stripe webhook signature verification
  • HTTP-only session cookies with strict CORS policies
  • Input validation and sanitization on all user inputs
  • Restricted Stripe API keys with no access to payouts, transfers, or bank details

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Upon account deletion, we delete all your data within 30 days, including Stripe connection data, customer records, email logs, and analytics. Exceptions: data required by law for tax or regulatory purposes may be retained for up to 7 years.

8. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to Restrict Processing: Request that we limit how we use your data.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interest.
  • Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful processing.
  • Right to Lodge a Complaint: File a complaint with your local data protection authority.

To exercise these rights, email support@savemrr.co. We respond within 30 days.

9. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the CCPA:

  • Right to Know: Request what personal information we collect, use, and disclose.
  • Right to Delete: Request deletion of your personal information.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
  • No Sale of Data: We do not sell your personal information. We have never sold personal information.

To exercise these rights, email support@savemrr.co.

10. Data Processing Agreement (DPA)

SaveMRR acts as a data processor when handling your customers' data on your behalf. Our full Data Processing Agreement (DPA) is publicly available and incorporated into our Terms of Service. If you require a countersigned copy, email support@savemrr.co.

11. International Data Transfers

Your information is processed in the United States. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. Our sub-processors maintain appropriate safeguards for international data transfers.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy on this page. Your continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, contact us at:

SaveMRR · support@savemrr.co