Privacy Policy

Last updated: April 2, 2026

1. Introduction

SimpleRecurring ("we", "our", or "us") provides a subscription management application for Shopify merchants. This Privacy Policy explains how we collect, use, and protect information when you use our application, the customer portal, the merchant dashboard, and any related services.

2. Data Minimization

We only collect and process the minimum personal data required to provide our subscription management services to merchants. We do not collect data beyond what is necessary for the purposes described in this policy.

3. Information We Collect

Store Information

When you install SimpleRecurring, we access your Shopify store data including store name, domain, email address, and store settings necessary to provide our services.

Customer Data

We process customer data on behalf of merchants, including customer names, email addresses, phone numbers, shipping addresses, and payment method tokens (we never store full payment card details). This data is used solely to manage subscription contracts and send transactional notifications.

Phone Numbers & SMS

If a merchant enables SMS notifications, we collect and store customer phone numbers to send subscription-related text messages (e.g., upcoming renewal reminders, payment failure alerts). SMS is delivered through third-party providers (Twilio, Nexmo/Vonage, or AWS SNS) and phone numbers are shared only with the selected provider for delivery purposes.

Subscription Data

We store subscription contract details, billing attempt history, order information, delivery schedules, and subscription preferences to provide our subscription management services.

Referral & Rewards Data

If a merchant enables the referral program or rewards points, we collect referral codes, referral relationships between customers, points balances, and redemption history.

A/B Testing & Conversion Data

We collect anonymized conversion data for A/B tests configured by merchants, including which test variant a customer was shown and whether they converted. This data is used to help merchants optimize their subscription offerings.

Churn Prediction Data

Our churn prediction feature analyzes subscription behavior patterns (order frequency, skip history, billing failures) using statistical algorithms to calculate churn risk scores. This analysis is performed solely for the merchant whose data it is and is never used to train models across merchants or shared externally.

Usage Data & Cookies

We collect anonymized usage data such as feature usage patterns and error logs to improve our application. The customer portal and merchant dashboard use essential cookies and local storage for session management (e.g., JWT tokens for authentication). We do not use third-party tracking cookies or advertising cookies.

4. How We Use Information

Providing and maintaining our subscription management services
Processing subscription billing and payments through Shopify
Sending subscription-related notifications to customers via email and SMS on behalf of merchants
Generating analytics, reports, and churn predictions for merchants
Running A/B tests configured by merchants to optimize conversion
Managing referral programs and rewards points on behalf of merchants
Authenticating merchants and customers in the dashboard and portal
Improving our application and developing new features
Providing customer support

5. Data Sharing & Sub-Processors

We do not sell, rent, or share personal data with third parties for their marketing purposes. We share data only with the following service providers as necessary to operate our services:

Shopify: As required to operate within the Shopify platform (subscription contracts, billing, checkout)
Railway: Application hosting and infrastructure
PostgreSQL (Railway-managed): Database storage with encrypted connections
Email providers: SendGrid, Postmark, or merchant-configured SMTP for transactional emails
SMS providers: Twilio, Nexmo/Vonage, or AWS SNS (only if merchant enables SMS)
Legal requirements: When required by law, regulation, or legal process

6. External Merchant Dashboard

We operate a merchant dashboard at dashboard.simplerecurring.com that provides analytics, subscription management, and configuration outside of the Shopify admin. This dashboard uses JWT-based authentication (HMAC-SHA256) and does not store additional personal data beyond what is described in this policy.

7. Data Security

We implement industry-standard security measures including:

Encryption in transit (TLS/HTTPS) for all connections
Encrypted database connections
AES-256 encryption at rest for sensitive data (e.g., API keys, payment tokens)
JWT-based authentication with HMAC-SHA256 signing
Rate limiting and input validation on all API endpoints
Access restricted to authorized personnel only

8. Data Retention

We retain merchant and subscription data for as long as the app is installed. Upon uninstallation, we delete all store and customer data within 30 days, unless retention is required by law. Anonymized analytics data may be retained for up to 12 months after uninstallation.

9. Merchant Responsibilities & Data Protection

Merchants using SimpleRecurring are responsible for ensuring they have appropriate legal bases for processing their customers' personal data, including obtaining necessary consents for email and SMS communications and providing their own privacy notices to end customers.

By installing and using SimpleRecurring, merchants agree to our data processing practices as described in this policy. SimpleRecurring acts as a data processor on behalf of the merchant (data controller) and processes personal data only as instructed by the merchant and as necessary to provide our services. This relationship constitutes a data protection agreement between SimpleRecurring and the merchant.

10. GDPR (European Economic Area)

For merchants and customers in the EEA, we process data as a data processor on behalf of the merchant (data controller). We support the following data subject rights:

Right of access — request a copy of your data
Right to rectification — correct inaccurate data
Right to erasure — request deletion of your data
Right to data portability — receive your data in a structured format
Right to object — object to processing of your data

11. CCPA (California)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used
Request deletion of your personal information
Opt out of the sale of personal information (we do not sell personal information)
Non-discrimination for exercising your privacy rights

To make a request, contact us at support@simplerecurring.com. We will respond within 45 days.

12. Security Incident Response

In the event of a security incident involving personal data, SimpleRecurring will:

Investigate and contain the incident within 24 hours of discovery
Notify affected merchants within 72 hours, including a description of the incident, the data involved, and remediation steps taken
Notify Shopify as required by the Shopify Partner Program Agreement
Report to relevant data protection authorities as required by GDPR or applicable law
Document the incident, root cause analysis, and corrective actions taken
Implement measures to prevent recurrence

To report a security concern, contact us at support@simplerecurring.com with the subject line "Security Incident".

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify merchants of material changes via email or in-app notification. Continued use of our services after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Iisivuokra Oy (Business ID: 2755505-7)
Email: support@simplerecurring.com