Last updated: February 28, 2026

Privacy Policy

This privacy policy explains how DunningDog ("we", "us", "our") collects, uses, stores, and protects your personal data when you visit our website at dunningdog.com, use our dashboard, or interact with our services. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

DunningDog

Email: privacy@dunningdog.com

If you have questions about how we handle your personal data or wish to exercise your rights, please contact us at the email address above.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Information

When you create an account, we collect your email address and name (if provided). If you sign in via Google or Microsoft OAuth, we receive your name, email, and profile identifier from the identity provider. We do not receive or store your password from third-party OAuth providers.

2.2 Billing Data

When you subscribe to a paid plan, we collect your Stripe customer ID, subscription ID, and billing plan selection. Payment card details (card number, CVC, expiry) are collected and processed directly by Stripe, Inc. and are never stored on DunningDog servers.

2.3 Connected Stripe Account Data

When you connect your Stripe account via OAuth, we receive and store an encrypted OAuth access token and your Stripe account ID. We use this to read invoice, subscription, and payment method data from your connected Stripe account for the purpose of payment recovery. We process the following data from your Stripe account:

Invoice status and amounts (payment failed/succeeded events)
Subscription status and customer identifiers
Payment method type and last-four digits (for pre-dunning alerts)
Card expiration dates (to detect expiring cards)

We do not access full card numbers, bank account details, or personal identification documents from your connected Stripe account.

2.4 Usage Data

We collect data about how you use DunningDog, including pages visited, features used, recovery dashboard interactions, and sequence configurations. This data is collected via PostHog (analytics) and Sentry (error tracking) and may include your IP address, browser type, operating system, and device information.

2.5 Email Interaction Data

When DunningDog sends dunning emails on your behalf to your customers, we log the recipient email address, send timestamp, and delivery status. We use Resend as our email delivery provider.

2.6 Support Communications

If you contact us via email, we retain your message content, email address, and any attachments for the purpose of resolving your inquiry.

3. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

Purpose	Legal Basis (Art. 6 GDPR)
Providing the service (recovery, dashboard, sequences)	Performance of contract (Art. 6(1)(b))
Processing payments and managing subscriptions	Performance of contract (Art. 6(1)(b))
Sending dunning emails on your behalf	Performance of contract (Art. 6(1)(b))
Error monitoring and debugging (Sentry)	Legitimate interest (Art. 6(1)(f))
Product analytics and improvement (PostHog)	Legitimate interest (Art. 6(1)(f))
Security, fraud prevention, abuse detection	Legitimate interest (Art. 6(1)(f))
Responding to support inquiries	Legitimate interest (Art. 6(1)(f))
Complying with legal obligations (tax, fraud reporting)	Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have conducted a balancing test to ensure your rights and freedoms are not overridden. You can request details of this assessment by contacting us.

4. How We Use Your Data

We use the personal data we collect to:

Create and maintain your account and workspace
Connect to your Stripe account and ingest billing events via webhooks
Detect at-risk subscriptions and expiring payment methods (pre-dunning)
Execute dunning email sequences to recover failed payments
Display recovery metrics, dashboard data, and analytics
Process your subscription payments via Stripe
Send operational emails (account confirmation, password reset, billing receipts)
Monitor and fix errors in the application (Sentry)
Understand how the product is used and improve it (PostHog)
Respond to your support requests
Comply with applicable laws and regulations

We do not sell your personal data to third parties. We do not use your data for advertising or profiling for marketing purposes.

5. Service Providers & Data Recipients

We share personal data only with third-party service providers who process data on our behalf, under written data processing agreements (DPAs):

Provider	Purpose	Location
Vercel, Inc.	Application hosting & edge functions	United States
Supabase, Inc.	Authentication & database	United States / EU
Stripe, Inc.	Payment processing & Connect OAuth	United States
Resend, Inc.	Transactional email delivery	United States
Sentry (Functional Software, Inc.)	Error monitoring & performance tracking	United States
PostHog, Inc.	Product analytics	United States / EU
Inngest, Inc.	Background job processing	United States

We may also disclose data where required by law, court order, or regulatory authority, or to protect the rights, property, or safety of DunningDog, our users, or others.

6. International Data Transfers

Some of our service providers are located in the United States. When personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission, included in our data processing agreements
Verification that providers maintain adequate security measures and comply with applicable data protection standards
Where available, selection of EU-based data processing regions (e.g., Supabase EU, PostHog EU Cloud)

You may request a copy of the safeguards we rely on by contacting privacy@dunningdog.com.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy:

Data Category	Retention Period
Account information	Until account deletion + 30 days
Stripe OAuth tokens (encrypted)	Until Stripe account is disconnected
Recovery attempt data	24 months after resolution, then anonymized
Email delivery logs	12 months, then deleted
Metric snapshots	36 months (aggregated, non-personal)
Billing and invoice records	7 years (legal/tax obligation)
Support communications	24 months after last interaction
Error logs (Sentry)	90 days
Analytics data (PostHog)	24 months

When data is no longer needed, it is securely deleted or anonymized so it can no longer be associated with you.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Right of access (Art. 15) — Request a copy of the personal data we hold about you.
Right to rectification (Art. 16) — Request correction of inaccurate or incomplete data.
Right to erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction (Art. 18) — Request that we restrict processing of your data in certain circumstances.
Right to data portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
Right to object (Art. 21) — Object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds.
Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
Right to lodge a complaint — You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

To exercise any of these rights, email privacy@dunningdog.com. We will respond within 30 days. We may ask you to verify your identity before processing your request. There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

9. Cookies & Tracking Technologies

We use the following cookies and tracking technologies:

Essential cookies — Required for authentication and session management (e.g., sb-auth-token). These cannot be disabled as they are necessary for the service to function.
Analytics (PostHog) — Used to understand product usage and improve the service. PostHog may set cookies or use local storage to track sessions. You can opt out via your browser settings or by enabling Do Not Track.
Error tracking (Sentry) — Captures error data to help us fix bugs. Does not track you across websites.

We do not use advertising cookies or trackers. For more details, see our Cookie Policy.

10. Children's Data

DunningDog is a business-to-business (B2B) service. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact privacy@dunningdog.com.

11. Automated Decision-Making

DunningDog uses automated processing to classify payment decline reasons (hard decline vs. soft decline) and to determine dunning sequence timing. These automated processes affect how and when recovery emails are sent to your customers, but they do not produce legal effects or similarly significant decisions concerning you as defined under Art. 22 GDPR.

You retain full control over your dunning sequences and can modify, pause, or disable them at any time from your dashboard.

12. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

Encryption of data in transit (TLS/HTTPS) and at rest
Encryption of sensitive credentials (Stripe OAuth tokens) using AES-256
Secure authentication via Supabase with PKCE OAuth flow and HTTP-only session cookies
Security headers (Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options)
Webhook signature verification for all incoming Stripe events
Secret-based authentication for cron endpoints
Error monitoring via Sentry for rapid incident response
Regular dependency updates and adherence to OWASP security best practices

No system is 100% secure. If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by Art. 33 and 34 GDPR.

13. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or applicable laws. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify registered users via email at least 14 days before changes take effect
Post a prominent notice on our website

We encourage you to review this policy periodically. Your continued use of DunningDog after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this privacy policy, your personal data, or wish to exercise your rights, contact us at:

DunningDog — Privacy

Email: privacy@dunningdog.com

General support: support@dunningdog.com

We aim to respond to all privacy-related inquiries within 30 days.