Skip to main content
This Privacy Policy explains how Airdun collects, uses, stores, and protects data in connection with the Airdun service. It applies to merchants who use Airdun (that is, you) and describes how Airdun handles the data of your customers as part of the payment-recovery process. Please read it carefully — and contact us at hello@airdun.com if you have any questions. Last updated: July 15, 2026 Data controller / operator: Louis Rapp EI, 63 route de Laoureaux, 31590 Lavalette, France
This policy covers two distinct relationships:Merchants (you) — If you have created an Airdun account, Airdun is the data controller for the account and billing information you provide directly to us (your name, email address, company details, and payment information). We determine how and why that data is processed.Your customers — When Airdun processes data about your customers (such as their name, email address, or payment status) in order to run recovery sequences on your behalf, Airdun acts as a data processor and you remain the data controller. We process your customers’ data only on your instructions and for the sole purpose of recovering failed payments.This distinction matters because it determines where legal responsibility sits and what rights apply to each person. Your customers who wish to exercise their data rights in relation to your Airdun-powered recovery activity should contact you directly as the controller; you may then contact us for assistance.
Airdun processes the following categories of data:Payment and subscription data (sourced from Stripe via your authorisation):
  • Payment intent IDs, invoice IDs, and subscription IDs
  • Failure reasons and failure codes
  • Amount, currency, and billing dates
  • Payment method type (e.g., card brand, last four digits) — never full card numbers, CVCs, or full bank account numbers
Customer data (sourced from Stripe):
  • Name
  • Email address
  • Phone number (where available, for SMS/WhatsApp recovery)
  • Country and language/locale
Recovery activity data (generated by Airdun):
  • Sequence enrolment and step completion records
  • Message delivery and open events
  • Payment retry outcomes
  • Escalation and manual-action logs
Airdun does not process full card numbers, CVCs, or full bank account details. All sensitive payment method data remains exclusively within Stripe’s systems.
Airdun uses data for a single purpose: recovering failed payments on behalf of merchants.More specifically, we use the data described above to:
  • Identify failed or at-risk payments in your Stripe account
  • Enrol the relevant customers into the appropriate recovery sequence
  • Send recovery communications via email, SMS, WhatsApp, or in-app notifications
  • Retry payments at optimised intervals based on card-network signals
  • Generate analytics and reports showing recovery performance
We do not use your data or your customers’ data for advertising, profiling, selling to third parties, or any purpose unrelated to payment recovery. We do not place advertising cookies or third-party trackers on airdun.com.
Each merchant’s data is logically isolated within Airdun’s infrastructure. No other merchant can access, query, or interact with your workspace or your customers’ data.Airdun staff access production data only under strict internal access controls, on a need-to-know basis, and for the purpose of providing support or maintaining the service. All staff with access to personal data are bound by confidentiality obligations.
Airdun shares data with the following categories of sub-processors in order to deliver the service. All sub-processors are bound by data processing agreements.Airdun does not sell data to any third party or share data with sub-processors beyond what is necessary for the stated purpose.
Airdun applies the following security measures to protect personal data:
  • Encryption in transit — all data transmitted between clients, Airdun’s services, and sub-processors uses TLS 1.2 or higher
  • Encryption at rest — all data stored in Airdun’s infrastructure is encrypted at the storage layer
  • Application-level encryption — sensitive credentials and integration tokens are encrypted at the application layer in addition to infrastructure-level encryption
  • Authentication — Airdun delegates authentication to a dedicated identity provider; passwords are never stored by Airdun itself
  • Role-based access control — team member access within each workspace is governed by Owner, Administrator, and Member roles
  • Logical data isolation — each merchant workspace is partitioned at the data layer
In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, Airdun will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, as required by applicable law.
Airdun retains personal data only for as long as necessary to provide the service and comply with legal obligations.
  • Active accounts — data is retained for the duration of your subscription
  • Account closure — all personal data associated with your account (including your customers’ data) is deleted within 30 days of your account closure date
  • Legal retention requirements — certain data (such as billing records) may be retained for longer periods where required by applicable law (e.g., French accounting law)
  • Recovery activity logs — anonymised aggregate statistics may be retained beyond the 30-day window for product analytics; these contain no personal data
You may request early deletion of specific data by contacting hello@airdun.com.
If you are a merchant using Airdun, you have the following rights in relation to the personal data Airdun holds about you as controller:
  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — ask us to correct inaccurate or incomplete data
  • Right to erasure — ask us to delete your personal data (subject to legal retention requirements)
  • Right to data portability — receive your data in a structured, machine-readable format
To exercise any of these rights, contact us at hello@airdun.com. We will respond within 30 days.If you are a customer of a merchant using Airdun (i.e., your data was processed as part of a failed-payment recovery sequence), your rights should be directed to the merchant in the first instance, as they are the data controller for that processing.If you believe your rights have not been respected, you have the right to lodge a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL), the French data protection supervisory authority: www.cnil.fr.
Airdun’s primary infrastructure is hosted in the European Union (Google Cloud, Paris region). No personal data is stored outside the EU by Airdun’s own systems.Some sub-processors (including Stripe, Twilio, Postmark/Loops, and Anthropic) are based in the United States. Where data is transferred to these providers, Airdun ensures that appropriate safeguards are in place under Article 46 of the GDPR, specifically Standard Contractual Clauses (SCCs) approved by the European Commission.
Airdun may update this Privacy Policy from time to time to reflect changes in the service, applicable law, or our data practices. When we make material changes, we will notify you by email (to the address associated with your account) and update the “Last updated” date at the top of this page.Your continued use of Airdun after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you may cancel your account at any time.
For any questions, concerns, or rights requests relating to this Privacy Policy or Airdun’s data practices, please contact:Louis Rapp EI 63 route de Laoureaux 31590 Lavalette FranceEmail: hello@airdun.comWe aim to respond to all enquiries within 5 business days.