Is my billing data safe?

Yes. We only read data — we cannot modify your billing, create charges, or access card numbers. All supported platforms (Stripe, Polar, Paddle) support restricted read-only keys. Your key is used only during the scan and is never stored or logged.

Which billing platforms do you support?

We support Stripe, Polar.sh, and Paddle. Select your platform on the scan page and we'll guide you through creating an API key. Each platform gets a tailored scan covering the leak types it supports.

What permissions does the API key need?

Read access for: Customers, Subscriptions, Invoices, Products, Prices, Coupons, and Payment Methods (exact names vary by platform). We provide step-by-step instructions on the scan page. It takes about 60 seconds to create.

How long does the scan take?

Under 90 seconds for most accounts. Larger accounts (1,000+ customers) may take up to 3 minutes. You'll see real-time progress as we scan each category.

What exactly do you scan for?

We run 10 automated checks: (1) Expired coupons still discounting, (2) Legacy pricing below current rates, (3) Forever discounts with no end date, (4) Stuck subscriptions stuck in bad states, (5) Expiring cards within 90 days, (6) Uncollected revenue with open invoices, (7) Missing payment methods on active subscriptions, (8) Unbilled overages — quantity mismatches and usage exceeding plan limits, (9) Expired trials — subscriptions stuck in trialing status, (10) Duplicate subscriptions — customers charged twice after failed upgrades.

What do I do with the report?

Open the report. See the leak. See the dollar amount. See the one-sentence fix. Click the link — it takes you straight to that customer in your billing dashboard. Fix it. That money hits your account next billing cycle.

What if you don't find any leaks?

Then your billing is clean. You get a perfect health score and some peace of mind. The free scan costs you nothing either way. If you're on a paid plan and we find less than $1,000/mo, you pay nothing.

What happens when a Stripe coupon expires?

When a Stripe coupon's redeem_by date passes, the coupon stops accepting new redemptions — but existing subscriptions keep the discount indefinitely. Stripe does not auto-remove expired coupons from active subscriptions. RevReclaim scans for these zombie discounts and shows you exactly which subscriptions are affected and how much they're costing you.

Is this the same as chargeback recovery?

No. Chargeback tools handle disputed payments. We find revenue you earned but aren't collecting: expired discounts still running, subscriptions stuck in failed states, cards about to expire, and outdated pricing that was never updated. Different problem, different fix.

Can I cancel the monthly plan anytime?

Yes. No contracts, no lock-in. Cancel anytime from your dashboard. Your data is deleted within 30 days of cancellation.

Is this worth it if I have fewer than 50 customers?

Probably not. Revenue leaks compound with scale. If you have 10 customers, you probably know each one by name. RevReclaim is built for the stage where your billing account has grown past what one person can monitor — typically 100+ customers, $30K+ MRR.

Why should I trust you with my billing data?

Fair question. We designed RevReclaim to work with restricted, read-only API keys scoped to specific resources. We only perform read operations, never modify your data, never see card numbers, and never store the key after the scan.

Privacy Policy

Last updated: March 8, 2026

1. What We Collect

When you use RevReclaim, we collect the following information:

Account information: Email address, name, and password (hashed) when you create an account.
Billing platform API keys: Read-only restricted keys you provide for scanning (Stripe, Paddle, or Polar). One-time scan keys are processed in memory and never stored. Auto-scan keys are encrypted with AES-256-GCM before storage.
Scan results: Revenue leak reports generated from your billing data, stored in your account for future reference.
Usage data: Basic analytics like page views and feature usage to improve the product.

2. How We Handle Your Billing Data

Your billing data security is our top priority:

Read-only access: We only request read-only API keys from Stripe, Paddle, or Polar. We cannot modify your billing account, create charges, or change subscriptions. This is enforced at the platform level.
One-time scans: API keys used for manual scans are processed in memory and never stored on any server or database. The key exists for approximately 90 seconds during the scan.
Auto-scan keys: If you enable automated weekly scans, your API key is encrypted using AES-256-GCM with a derived key before storage. The encryption key is stored separately from the database. You can delete it at any time from your settings.
Data minimization: We only fetch the billing data needed for leak detection (subscriptions, invoices, customers, coupons, prices). We do not access full credit card numbers, bank accounts, or personal identity documents.
Customer names: We never fetch or store customer full names from your billing platform. Only customer IDs and masked emails are used.
Privacy Mode (optional): When enabled, customer emails and IDs are hidden from the dashboard, reports, and exports. Data remains encrypted server-side for recovery action execution.

3. How We Use Your Data

Generate revenue leak reports for your review
Store scan history in your dashboard
Run automated scans on your chosen schedule
Send scan completion notifications (if enabled)
Send automated pre-dunning emails for expiring cards (if enabled)
Deliver webhook notifications to your configured endpoints
Improve our leak detection algorithms

4. Data Storage & Security

Database: Data is stored in Supabase (PostgreSQL) with Row Level Security — each user can only access their own data.
Encryption: API keys are encrypted at rest using AES-256-GCM. All data in transit is encrypted via TLS 1.3.
Hosting: The application is hosted on Vercel with automatic HTTPS and DDoS protection.
Access control: Only you can access your reports and settings. Our team does not access customer Stripe data.

5. Data Sharing & Sub-processors

We do not sell, rent, or share your personal data or billing data with third parties, except for the sub-processors listed below that are essential to providing the Service:

Provider	Purpose	Data Accessed
Vercel	Application hosting	Request logs, server-side code execution
Supabase	Database & authentication	User accounts, encrypted API keys, scan reports
Polar	Payment processing	Billing email, subscription status

All sub-processors are bound by data processing agreements. We will notify registered users via email at least 14 days before adding new sub-processors. We may also share data if required by law, court order, or government request.

6. Data Retention & Deletion

Scan reports are retained as long as your account is active.
You can delete individual reports from your dashboard at any time.
You can delete your auto-scan configuration (including the encrypted API key) at any time.
To delete your entire account and all associated data, contact us at the email below.
Upon account deletion, all data is permanently removed within 30 days.

7. Breach Notification

In the event of a confirmed data breach affecting your personal data or API keys, we will:

Notify affected users via email within 72 hours of confirming the breach, in compliance with GDPR requirements.
Provide details about the nature of the breach, the categories of data affected, and the approximate number of users impacted.
Describe the measures taken to address and mitigate the breach.
Report to relevant supervisory authorities as required by applicable law.
Provide guidance on protective steps, including instructions for revoking API keys on your billing platform.

8. International Data Processing

RevReclaim is operated from Israel. Our sub-processors may process data in the United States and the European Union. If you are located in the European Economic Area (EEA) or the United Kingdom, your data may be transferred to and processed in countries outside your jurisdiction.

We rely on Standard Contractual Clauses (SCCs) and our sub-processors' certifications (including SOC 2) to ensure that your data is protected to the standards required by GDPR. If you are subject to GDPR and require a Data Processing Agreement (DPA), please contact us at the email below and we will provide one.

9. Cookies

We use essential cookies only — for authentication sessions and security. We do not use advertising cookies or third-party tracking cookies.

10. Your Rights

You have the right to:

Access your stored data
Export your scan reports
Delete your data and account
Withdraw consent for automated scans at any time

11. Changes

We may update this policy from time to time. Material changes will be communicated via email to registered users. Continued use of the service after changes constitutes acceptance.

12. Contact

For privacy-related questions or data deletion requests, contact us at revreclaim@gmail.com