1. Who this policy is for
1. Who this policy is for
This policy covers two distinct relationships:Merchants (you) — If you have created an Airdun account, Airdun is the data controller for the account and billing information you provide directly to us (your name, email address, company details, and payment information). We determine how and why that data is processed.Your customers — When Airdun processes data about your customers (such as their name, email address, or payment status) in order to run recovery sequences on your behalf, Airdun acts as a data processor and you remain the data controller. We process your customers’ data only on your instructions and for the sole purpose of recovering failed payments.This distinction matters because it determines where legal responsibility sits and what rights apply to each person. Your customers who wish to exercise their data rights in relation to your Airdun-powered recovery activity should contact you directly as the controller; you may then contact us for assistance.
2. Data we process
2. Data we process
Airdun processes the following categories of data:Payment and subscription data (sourced from Stripe via your authorisation):
- Payment intent IDs, invoice IDs, and subscription IDs
- Failure reasons and failure codes
- Amount, currency, and billing dates
- Payment method type (e.g., card brand, last four digits) — never full card numbers, CVCs, or full bank account numbers
- Name
- Email address
- Phone number (where available, for SMS/WhatsApp recovery)
- Country and language/locale
- Sequence enrolment and step completion records
- Message delivery and open events
- Payment retry outcomes
- Escalation and manual-action logs
3. How we use your data
3. How we use your data
Airdun uses data for a single purpose: recovering failed payments on behalf of merchants.More specifically, we use the data described above to:
- Identify failed or at-risk payments in your Stripe account
- Enrol the relevant customers into the appropriate recovery sequence
- Send recovery communications via email, SMS, WhatsApp, or in-app notifications
- Retry payments at optimised intervals based on card-network signals
- Generate analytics and reports showing recovery performance
4. Data isolation and confidentiality
4. Data isolation and confidentiality
Each merchant’s data is logically isolated within Airdun’s infrastructure. No other merchant can access, query, or interact with your workspace or your customers’ data.Airdun staff access production data only under strict internal access controls, on a need-to-know basis, and for the purpose of providing support or maintaining the service. All staff with access to personal data are bound by confidentiality obligations.
5. Sharing with third-party processors
5. Sharing with third-party processors
Airdun shares data with the following categories of sub-processors in order to deliver the service. All sub-processors are bound by data processing agreements.
Airdun does not sell data to any third party or share data with sub-processors beyond what is necessary for the stated purpose.
6. Data security
6. Data security
Airdun applies the following security measures to protect personal data:
- Encryption in transit — all data transmitted between clients, Airdun’s services, and sub-processors uses TLS 1.2 or higher
- Encryption at rest — all data stored in Airdun’s infrastructure is encrypted at the storage layer
- Application-level encryption — sensitive credentials and integration tokens are encrypted at the application layer in addition to infrastructure-level encryption
- Authentication — Airdun delegates authentication to a dedicated identity provider; passwords are never stored by Airdun itself
- Role-based access control — team member access within each workspace is governed by Owner, Administrator, and Member roles
- Logical data isolation — each merchant workspace is partitioned at the data layer
7. Data retention and deletion
7. Data retention and deletion
Airdun retains personal data only for as long as necessary to provide the service and comply with legal obligations.
- Active accounts — data is retained for the duration of your subscription
- Account closure — all personal data associated with your account (including your customers’ data) is deleted within 30 days of your account closure date
- Legal retention requirements — certain data (such as billing records) may be retained for longer periods where required by applicable law (e.g., French accounting law)
- Recovery activity logs — anonymised aggregate statistics may be retained beyond the 30-day window for product analytics; these contain no personal data
8. Your rights
8. Your rights
If you are a merchant using Airdun, you have the following rights in relation to the personal data Airdun holds about you as controller:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure — ask us to delete your personal data (subject to legal retention requirements)
- Right to data portability — receive your data in a structured, machine-readable format
9. International data transfers
9. International data transfers
Airdun’s primary infrastructure is hosted in the European Union (Google Cloud, Paris region). No personal data is stored outside the EU by Airdun’s own systems.Some sub-processors (including Stripe, Twilio, Postmark/Loops, and Anthropic) are based in the United States. Where data is transferred to these providers, Airdun ensures that appropriate safeguards are in place under Article 46 of the GDPR, specifically Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Changes to this policy
10. Changes to this policy
Airdun may update this Privacy Policy from time to time to reflect changes in the service, applicable law, or our data practices. When we make material changes, we will notify you by email (to the address associated with your account) and update the “Last updated” date at the top of this page.Your continued use of Airdun after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you may cancel your account at any time.
11. Contact
11. Contact
For any questions, concerns, or rights requests relating to this Privacy Policy or Airdun’s data practices, please contact:Louis Rapp EI
63 route de Laoureaux
31590 Lavalette
FranceEmail: hello@airdun.comWe aim to respond to all enquiries within 5 business days.
