LostChurn Docs

LostChurn's data retention policies, right to erasure, data export capabilities, and GDPR compliance practices.

LostChurn is designed to comply with the General Data Protection Regulation (GDPR) and other major data privacy frameworks. This page covers how LostChurn handles personal data, your rights as a data controller, and the tools available to you for managing customer data.

Data Processing Role

When you use LostChurn, you are the data controller and LostChurn acts as a data processor. You determine what customer data is sent to LostChurn (via webhook payloads from your payment processor), and LostChurn processes it solely for the purpose of recovering failed payments on your behalf.

Role	Entity	Responsibility
Data Controller	Your business	Determines the purposes and means of processing
Data Processor	LostChurn	Processes data on your behalf, per your instructions
Sub-processors	See list below	Third-party services LostChurn uses to deliver the product

Personal Data We Process

LostChurn processes only the personal data necessary for payment recovery. The data originates from webhook payloads sent by your payment processor and from actions taken through the LostChurn dashboard.

Data Category	Examples	Purpose	Retention
Customer identifiers	Name, email address	Dunning communications, dashboard display	Active + 90 days
Payment metadata	Last four digits, card brand, expiration	Recovery classification, dashboard display	Active + 90 days
Transaction records	Invoice IDs, amounts, currencies, decline codes	Recovery processing, analytics	Active + 1 year
Communication logs	Email/SMS delivery status, open/click events	Campaign analytics, troubleshooting	Active + 1 year
Recovery state	Retry history, recovery status, state transitions	Core recovery operations	Active + 1 year
Webhook payloads	Raw PSP webhook bodies	Debugging, audit trail, data portability	548 days (R2 cold storage)

"Active" means the subscription is still being monitored by LostChurn. Once a subscription is no longer monitored (e.g., it was canceled or the integration was disconnected), the retention clock begins.

Data Retention Policies

LostChurn applies the following default retention periods. Enterprise customers can negotiate custom retention schedules.

Data Type	Default Retention	Configurable
Failed payment records	1 year after recovery or terminal state	Yes (Enterprise)
Customer contact data	90 days after last active subscription	Yes (Enterprise)
Campaign delivery logs	1 year from send date	Yes (Enterprise)
Webhook payloads (R2)	548 days from ingestion	Yes (Enterprise)
Audit logs	548 days (1.5 years)	No
Aggregated analytics	Indefinite (anonymized)	No

When the retention period expires, data is automatically purged from all primary datastores and backups within 30 days. Webhook payloads stored in Cloudflare R2 are encrypted with AES-256-GCM and automatically expired after the configured retention period.

Aggregated analytics data (recovery rates, revenue totals, campaign performance) is retained indefinitely but contains no personal data. It cannot be linked back to individual customers.

Right to Erasure

Under GDPR Article 17, individuals have the right to request deletion of their personal data. LostChurn provides two mechanisms for handling erasure requests.

Dashboard Erasure

Navigate to Customers in the LostChurn dashboard.
Search for the customer by email or name.
Open the customer detail view.
Click Delete Customer Data.
Confirm the deletion. This action is irreversible.

This removes all personal data associated with the customer, including:

Name and email address
Payment method details (last four, brand, expiration)
Communication history
Recovery state and retry history
Raw webhook payloads stored in R2 cold storage

Transaction records are anonymized (customer identifiers are removed) but retained for your financial reporting obligations. Webhook payloads in R2 are deleted directly via the erasure procedure or queued for cleanup within 24 hours.

API Erasure

You can also delete customer data programmatically using the Customers API:

curl -X DELETE https://api.lostchurn.com/v1/customers/cus_abc123 \
  -H "Authorization: Bearer lc_live_your_api_key"

Response:

{
  "id": "cus_abc123",
  "deleted": true,
  "anonymized_records": 14
}

The API returns the number of transaction records that were anonymized (personal data stripped but financial data retained).

Erasure Timeline

Action	Timeline
Personal data removed from primary datastore	Immediate
Webhook payloads removed from R2 cold storage	Immediate (direct) or within 24 hours (queued)
Removed from search indexes and caches	Within 24 hours
Removed from backups	Within 30 days

Data Export

Under GDPR Article 20, individuals have the right to receive their personal data in a portable format.

Dashboard Export

Navigate to Customers and select the customer.
Click Export Data.
Choose the format: JSON or CSV.
The export is generated and available for download within a few seconds.

API Export

curl https://api.lostchurn.com/v1/customers/cus_abc123/export \
  -H "Authorization: Bearer lc_live_your_api_key" \
  -H "Accept: application/json"

The response includes all personal data LostChurn holds for that customer in a structured JSON format.

Data Processing Agreement (DPA)

LostChurn provides a Data Processing Agreement that meets GDPR Article 28 requirements. The DPA covers:

Scope and purpose of processing
Data security obligations
Sub-processor management
Breach notification procedures (72-hour notification)
Audit rights
Data return and deletion upon termination

To request a signed DPA, email privacy@lostchurn.com or download the standard DPA from Settings > Legal in your dashboard.

A signed DPA is included automatically on Revenue Recovery System, Revenue Command, and Enterprise plans. Recovery Engine plan customers can request one at no additional cost.

Sub-Processors

LostChurn uses the following sub-processors to deliver the service. This list is maintained and updated with 30 days' notice before any new sub-processor is added.

Sub-Processor	Purpose	Data Processed	Location
Cloudflare	Edge compute, CDN, DDoS protection, R2 object storage	Webhook payloads (in transit and at rest via R2)	Global
Clerk	Authentication and session management	Dashboard user email, name	United States
Resend	Transactional email delivery	Customer email, dunning content	United States
Twilio	SMS delivery	Customer phone number, message content	United States
Google Cloud	LLM inference (Gemini)	Anonymized decline data for prompt generation	United States

Sub-Processor Change Notification

You can subscribe to sub-processor change notifications in Settings > Legal > Sub-processor Updates. When LostChurn adds or removes a sub-processor, you will receive an email notification 30 days before the change takes effect. If you object to a new sub-processor, you may terminate the affected service without penalty during the notice period.

International Data Transfers

For transfers of personal data outside the European Economic Area (EEA), LostChurn relies on:

Standard Contractual Clauses (SCCs): Included in the DPA for transfers to sub-processors in the United States and other non-adequate countries.
Adequacy decisions: Where available (e.g., UK, Canada, Japan), transfers are made under the relevant adequacy decision.

Your Obligations as Data Controller

As the data controller, you are responsible for:

Lawful basis: Ensuring you have a lawful basis (e.g., legitimate interest, contractual necessity) for sending customer data to LostChurn for payment recovery.
Privacy notice: Informing your customers that you use a third-party service for payment recovery and including LostChurn (or a generic reference to payment recovery processors) in your privacy policy.
Erasure requests: Forwarding erasure requests to LostChurn when a customer exercises their right to deletion.

Next Steps

Security Overview -- encryption, access controls, and infrastructure security
Webhook Verification -- how LostChurn verifies incoming payloads
Managing Your Subscription -- account and data management

GDPR & Data Privacy