Privacy Policy

Introduction

ChurnZap ("we," "us," "our," or "Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at churnzap.com and use our SaaS platform for customer retention management (the "Service").

Important Note on Scope: ChurnZap is a business-to-business (B2B) SaaS platform. Our customers are subscription-based businesses (such as SaaS companies). This Privacy Policy covers:

• Data about our customers (subscription business account holders)
• Data about end-customers of our customers (accessed via OAuth integrations with payment processors) that our customers authorize us to process on their behalf

We do not market to, and do not knowingly collect data from, individual consumers for consumer-facing purposes. All parties interacting with ChurnZap are expected to be acting in a business or professional capacity.

We comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy and data protection laws. Please read this Privacy Policy carefully. If you have questions about this Privacy Policy, please contact us at privacy[at]churnzap.com.

1. Information We Collect

1.1 Information You Provide Directly

• Account Information: When you create a ChurnZap account, we collect your name, email address, company name, job title, phone number, and billing information.
• Communication Data: When you communicate with us via email, contact forms, or support channels, we collect the content of your messages and attachments.
• Payment Information: We collect payment details necessary to process your subscription. Payment processing is handled by third-party payment processors who comply with PCI DSS standards.
• Customer Data: If you use ChurnZap to manage your customer retention, you may input or upload customer data, including names, email addresses, subscription information, and churn indicators. You are responsible for ensuring you have appropriate consent to process this data.

1.2 Information Collected Automatically

• Usage Data: We automatically collect information about your interactions with our Service, including pages visited, features used, session duration, and actions performed.
• Device Information: We collect information about your device, including device type, operating system, browser type, IP address, and unique device identifiers.
• Cookies and Similar Technologies: We use cookies, web beacons, and similar tracking technologies to enhance your experience, remember your preferences, and analyze how you use our Service.
• Log Data: Our servers automatically record information when you use ChurnZap, including access times, pages viewed, and referring URLs.

1.3 Information from Third Parties - OAuth Integrations

Payment Processor Data (Data Processing on Your Behalf): When you authorize ChurnZap to access your payment processor account via OAuth, we receive and process the following data on your behalf as a Data Processor:

• Stripe Integration: Customer name, email address, subscription status, plan/product information, billing amounts (MRR), payment failure events, and subscription cancellation requests.
• Braintree Integration: Customer name, email address, subscription status, plan information, payment amounts, payment failures, and cancellation events.
• Paddle Integration: Customer name, email address, subscription information, plan details, revenue data, payment status, and churn indicators.

Important: We do not access, store, or process sensitive payment information such as credit card numbers, payment method details, or other sensitive payment data. We access only the data necessary to identify churn signals and provide our retention services.

Your Role as Data Controller: When you integrate ChurnZap with your payment processor, you remain the Data Controller for this data. You authorize ChurnZap to process this data solely for the purpose of providing the ChurnZap Service and for legitimate business analytics to improve our platform (see Section 3 for legal basis). You warrant that you have obtained all necessary consents from your end-customers to authorize this data processing.

1.4 Other Information from Third Parties

• Analytics Providers: We work with analytics providers who help us understand how our Service is used.
• Business Partners: We may receive information from business partners or affiliates for marketing and service improvement purposes.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Service Delivery: To provide, maintain, and improve ChurnZap and deliver the features and functionality you request.
• Account Management: To manage your account, process payments, send transactional emails, and provide customer support.
• Communication: To send you service announcements, updates, and respond to your inquiries.
• Marketing: With your consent, to send promotional content, newsletters, and information about new features (you can opt out at any time).
• Analytics and Improvement: To understand how you use ChurnZap, identify trends, and improve our Service.
• Security and Fraud Prevention: To detect, prevent, and address fraud, abuse, and security issues.
• Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3. Legal Basis for Processing (GDPR)

For customers and their data subjects in the European Economic Area (EEA), we process personal data based on the following legal grounds:

3.1 As a Data Controller (ChurnZap Account Information)

For data about our customers (your ChurnZap account information), we process based on:

• Contract Performance: Processing necessary to fulfill our agreement with you for the provision of ChurnZap services.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as service improvement, fraud prevention, security monitoring, and analytics, where these interests do not override your rights and freedoms.
• Consent: Where we rely on your explicit consent, such as for marketing communications or optional analytics.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.

3.2 As a Data Processor (End-Customer Data from OAuth)

For data about your end-customers (accessed via OAuth from payment processors), we process as a Data Processor under your instructions and the Data Processing Agreement. You, as the Data Controller, must establish the lawful basis for processing this data with your own customers. ChurnZap processes this data:

• For Contract Performance: To deliver the ChurnZap retention service you have contracted with us to provide.
• For Legitimate Interests: To analyze service performance and improve our platform (only in aggregated, anonymized form that does not identify individual end-customers).

Your Responsibility: You warrant that you have established a lawful basis with your end-customers (such as consent or legitimate interests under their own privacy framework) to share their data with ChurnZap for retention analysis purposes.

4. How We Share Your Information

4.1 Service Providers

We share information with third-party service providers who perform services on our behalf, including:

• Cloud hosting providers (for secure data storage)
• Payment processors (for billing)
• Analytics services (for usage insights)
• Email delivery services (for communications)
• Customer support platforms (for support management)

These service providers are contractually obligated to use your information only as necessary to provide services to ChurnZap and must comply with applicable data protection laws.

4.2 Legal Requirements and Protection

We may disclose your information when required by law, such as in response to a court order, government request, or other legal process. We may also disclose information when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

4.3 Business Transfers

If ChurnZap is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding, your information may be part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

4.4 No Sale of Personal Data

We do not sell, trade, or rent your personal information to third parties. We do not disclose personal information for third-party marketing purposes without your explicit consent.

5. Data Retention

We retain your personal information for as long as necessary to provide the Service and fulfill the purposes outlined in this Privacy Policy, subject to legal obligations and the principle of data minimization. Retention periods are as follows:

5.1 ChurnZap Account Data (Where We Are Data Controller)

• Account Information: Retained while your account is active. After account termination or deletion, personal account data (name, email, company information) is deleted within 30 days, except as required by law or for legitimate audit/security purposes (retained up to 90 days).
• Payment/Billing Data: Retained for the duration of our business relationship plus 7 years for tax and accounting compliance purposes (as required by law in most jurisdictions).
• Support Communications: Retained for 12 months after last communication, unless related to an active dispute or legal matter.

5.2 End-Customer Data (Where We Are Data Processor)

• OAuth-Accessed Customer Data (Stripe, Braintree, Paddle): Retained in our systems only while you maintain an active ChurnZap account and have not disabled the integration. Upon account deletion or integration disconnection, this data is deleted within 30 days. Note: You remain responsible for retention obligations to your own customers.
• API Logs and System Backups: May contain customer data and are retained for up to 90 days for security, troubleshooting, and audit purposes. Backups used for disaster recovery may be retained longer (typically 6 months) but are encrypted and access-restricted.

5.3 Usage and Analytics Data

• Aggregated, Anonymized Analytics: Retained indefinitely for service improvement, as they cannot identify individuals.
• Usage Logs (personal data elements): Retained for 12 months for analytics and troubleshooting purposes, then aggregated and anonymized or deleted.

5.4 Legal and Compliance Data

• Retained as required by applicable laws, regulations, and legal processes. For example, financial records may be retained for 7 years for tax compliance in most jurisdictions.

5.5 Data Deletion Requests

You may request deletion of your personal data subject to the following exceptions:

• Data required to be retained by law (e.g., tax records, legal holds)
• Data necessary to defend legal claims
• Data needed for security or system integrity purposes
• Aggregated or anonymized data that cannot identify you

To request data deletion, contact us at privacy[at]churnzap.com. We will respond within 30 days with confirmation of deletion or explanation of any exceptions.

6. Your Privacy Rights

6.1 GDPR Rights (European Business Customers and Data Subjects)

If you are a customer in the European Economic Area or if you are a data subject whose data is processed by ChurnZap on behalf of a customer, you have the following rights regarding your personal data under the GDPR:

• Right of Access (Article 15): You can request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): You can request correction of inaccurate or incomplete information.
• Right to Erasure (Article 17): You can request deletion of your personal data, subject to certain exceptions (e.g., legal obligations, contract performance).
• Right to Restrict Processing (Article 18): You can request that we limit how we use your information pending resolution of a dispute.
• Right to Data Portability (Article 20): You can request to receive your data in a structured, commonly used format and transfer it to another service.
• Right to Object (Article 21): You can object to processing based on legitimate interests, including for direct marketing.
• Right to Withdraw Consent (Article 7): Where processing is based on consent, you can withdraw that consent at any time without affecting the lawfulness of prior processing.
• Rights Related to Automated Decision-Making (Article 22): You have rights to object to decisions made solely by automated means that produce legal or similarly significant effects.

For Data Subjects Whose Data Is Processed as a Data Processor: If your data was shared with ChurnZap by another customer (our data controller), you have the above rights. You can exercise these rights with the organization that shared your data, or you can contact us at privacy[at]churnzap.com with full details of your request, and we will assist or forward your request to the appropriate data controller.

To exercise these rights, contact us at privacy[at]churnzap.com with "Data Subject Request" in the subject line. Include sufficient information for us to identify you. We will respond to your request within 30 days, or provide an explanation if we require additional time (up to 90 days total for complex requests). You also have the right to lodge a complaint with your local data protection authority without contacting us first.

6.2 CCPA/CPRA Rights (California Business Customers)

Important Note: ChurnZap is a B2B service. The CCPA and related state privacy laws primarily apply to personal information of California residents as "consumers." Because ChurnZap customers are businesses, these rights typically apply to:

• Business representatives (owners, managers, employees) whose personal data we collect in connection with providing our services
• End-customers of our customers whose data is shared with ChurnZap (if any are California residents)

If you are a California resident and a ChurnZap customer, you have the following rights under the CCPA/CPRA:

• Right to Know: You can request what personal information we collect, use, and disclose.
• Right to Delete: You can request deletion of personal information we have collected, subject to exceptions (e.g., contract performance, legal obligations).
• Right to Opt-Out: You can opt out of the sale or sharing of your personal information. ChurnZap does not sell or share personal information.
• Right to Correct: You can request correction of inaccurate personal information.
• Right to Limit Use: You can limit how we use sensitive personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising your rights under the CCPA/CPRA.
• Right to Opt-Out of Profiling: You can opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.

Enforceability Note: Some CCPA/CPRA provisions may have more limited application to business-to-business relationships. We will honor all valid rights requests to the extent applicable under law.

To submit a CCPA/CPRA request, email privacy[at]churnzap.com with "California Privacy Request" in the subject line. Include your name, email address, business name, and a clear description of your request. We will verify your identity and respond within 45 days, or within 45 days of receiving any additional information we need to verify your request.

6.3 Do Not Track (DNT)

Some browsers include a "Do Not Track" feature. Our Service does not currently respond to DNT signals. However, you can control cookie preferences through your browser settings.

7. Children's Privacy

ChurnZap is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18. If we become aware that we have collected such information, we will delete it promptly. Parents or guardians who believe their child has provided information to ChurnZap should contact us immediately at privacy[at]churnzap.com.

8. Cookies and Tracking Technologies

8.1 Types of Cookies We Use

• Essential Cookies: Required for authentication, security, and basic functionality.
• Performance Cookies: Used to understand how you use ChurnZap and improve our Service.
• Marketing Cookies: Used to deliver personalized content and track the effectiveness of marketing campaigns.

8.2 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when cookies are being sent. Note that blocking cookies may affect your ability to use certain features of ChurnZap.

8.3 Third-Party Tracking

We use Google Analytics to understand usage patterns. Google Analytics collects information anonymously and reports aggregated data. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-on.

9. Subprocessors and Service Providers

As permitted under the GDPR and other applicable laws, ChurnZap uses the following subprocessors and service providers to process personal data on our behalf or in support of our services:

9.1 Current Subprocessor List

• Cloud Infrastructure Provider: Render.com (cloud hosting and data storage). Data is stored on Render's US infrastructure unless EU data residency is requested, in which case it is stored in Render's EU data centers.
• Analytics: Google Analytics (usage analytics). Google Analytics operates under its own privacy policy and Data Processing Agreement.
• Email and Notifications: SendGrid or similar service (transactional and notification emails).
• Customer Support: Third-party support platform (support ticket management and communication).
• Payment Processing: Stripe, Braintree, or other third-party payment processors (billing and payment processing). These processors maintain their own security certifications and comply with PCI DSS standards.

Note: We do not control or receive payment information through these processors—you authorize them directly to access and process your payment details.

9.2 Subprocessor Updates and Customer Notification

We may add or change subprocessors as our business needs evolve. We will update this list on the website and notify existing customers of material changes at least 30 days in advance. GDPR customers have the right to object to new subprocessors. If you object, we will work with you to find a solution, which may include terminating the relevant feature or providing an alternative.

9.3 Data Processing Agreements with Subprocessors

All subprocessors are contractually required to:

• Process data only as instructed by ChurnZap (or you, if you are the data controller)
• Ensure confidentiality of data
• Implement appropriate technical and organizational security measures
• Assist with your rights requests (where applicable)
• Comply with applicable data protection laws

10. Data Security

We implement comprehensive security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction:

• Encryption of data in transit (SSL/TLS) and at rest
• Secure authentication protocols and password management
• Regular security assessments and vulnerability testing
• Access controls and role-based permissions
• Secure hosting on industry-leading cloud infrastructure
• Incident response procedures and security monitoring

However, no method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

10. International Data Transfers

If you are located outside the United States, note that your information may be transferred to, stored in, and processed in the United States and other countries. By using ChurnZap, you consent to the transfer of your information to countries outside your country of residence, which may have different data protection rules.

For EEA residents, we transfer data based on appropriate safeguards, such as Standard Contractual Clauses (SCCs) or other mechanisms approved under GDPR.

11. Third-Party Links

ChurnZap may contain links to third-party websites and services that are not operated by us. This Privacy Policy applies only to our Service. We are not responsible for the privacy practices of third-party sites, and we encourage you to review their privacy policies before providing any information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by updating the "Last updated" date at the top of this policy and, in some cases, providing additional notice (such as sending you an email). Your continued use of ChurnZap following such notification constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

We will respond to your inquiry within 30 days.

Data Protection Authority

If you are an EEA resident and believe we have violated your privacy rights, you have the right to lodge a complaint with your local data protection authority.

14. Additional Information for Specific Jurisdictions

14.1 Nevada Residents

Nevada law permits you to opt out of the future sale of covered information. While we do not currently sell your information, you can submit an opt-out request to privacy[at]churnzap.com.

14.2 Virginia, Colorado, Connecticut, and Utah Residents

Under the Virginia Consumer Data Protection Act (VCDPA) and similar state laws, you have rights similar to CCPA rights, including rights to access, delete, correct, and opt-out. Submit requests to privacy[at]churnzap.com.