Privacy Policy

• Account data: email address and name when you sign in or create a workspace.
• Stripe data: when you connect your Stripe account via OAuth, we access invoice data, customer email addresses, and payment statuses on your behalf. We do not store raw card numbers or payment credentials.
• Usage data: pages visited, features used, and timestamps — used to improve the product.
• Communication data: if you contact us by email we retain that correspondence.

• To provide the Dunnly recovery service (smart retries, dunning emails, analytics).
• To send dunning emails to your customers on your behalf.
• To calculate and issue our performance-based invoices.
• To improve and debug our platform.
• To comply with legal obligations.

We do not sell your data or your customers' data to third parties.

For personal data covered by the GDPR, we process data under one or more of the following legal bases:

• Performance of a contract: to provide the service you requested, including account access, Stripe integration, retries, and dunning workflows.
• Legitimate interests: to secure, monitor, improve, and debug our platform, prevent abuse, and maintain service reliability.
• Legal obligation: where we must retain or disclose data to comply with applicable law, accounting, tax, or regulatory requirements.

When Dunnly sends dunning emails or triggers retries, we act as a data processor on behalf of you (the data controller). Your customers' email addresses and invoice amounts are processed only to perform the recovery service you have contracted us for. We delete this data within 90 days of account termination.

• Stripe — payment processing and Connect OAuth. Subject to Stripe's own privacy policy.
• Supabase — database and authentication. Data is stored in EU regions.
• OpenAI — used to generate dunning email copy. No personal data is included in prompts beyond first name and invoice amount.
• SMTP provider — used to deliver dunning emails.

We engage these providers as sub-processors where applicable and require them to implement appropriate security and data protection measures.

Where personal data is transferred outside the EU/EEA, we rely on recognized transfer safeguards, such as the European Commission's Standard Contractual Clauses (SCCs), where required.

We retain your workspace data for as long as your account is active. On account deletion we remove your data within 30 days. Stripe event logs are retained for 12 months for audit purposes.

If you are located in the EU/EEA you have the right to:

• Access the personal data we hold about you.
• Request correction or deletion of your data.
• Object to or restrict processing.
• Data portability.
• Lodge a complaint with the Dutch supervisory authority (Autoriteit Persoonsgegevens).

To exercise these rights, email us at privacy@dunnly.co. We may need to verify your identity before completing your request.

We use only functional cookies required to maintain your login session. We do not use advertising or tracking cookies.

All data is transmitted over TLS. Database access is restricted via row-level security. Stripe credentials are never stored in plaintext.

We maintain internal procedures for investigating and responding to suspected personal data incidents. Where required by law, we will notify affected customers and relevant supervisory authorities without undue delay.

If you use Dunnly to process personal data as a controller, you may request our Data Processing Agreement (DPA) at privacy@dunnly.co.

Bear Software — privacy@dunnly.co
Based in the Netherlands
KvK: 42017540
VAT: NL005437235B03

For compliance due diligence (including company registration details), contact us at the same address.