> ## Documentation Index
> Fetch the complete documentation index at: https://docs.airdun.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Airdun Privacy Policy: Data Collection, Use, and Rights

> How Airdun collects, uses, and protects your data and your customers' data under EU law, including sub-processors, retention periods, and your GDPR rights.

This Privacy Policy explains how Airdun collects, uses, stores, and protects data in connection with the Airdun service. It applies to merchants who use Airdun (that is, you) and describes how Airdun handles the data of your customers as part of the payment-recovery process. Please read it carefully — and contact us at **[hello@airdun.com](mailto:hello@airdun.com)** if you have any questions.

**Last updated:** July 15, 2026

**Data controller / operator:** Louis Rapp EI, 63 route de Laoureaux, 31590 Lavalette, France

***

<Accordion title="1. Who this policy is for">
  This policy covers two distinct relationships:

  **Merchants (you)** — If you have created an Airdun account, Airdun is the **data controller** for the account and billing information you provide directly to us (your name, email address, company details, and payment information). We determine how and why that data is processed.

  **Your customers** — When Airdun processes data about your customers (such as their name, email address, or payment status) in order to run recovery sequences on your behalf, Airdun acts as a **data processor** and you remain the data controller. We process your customers' data only on your instructions and for the sole purpose of recovering failed payments.

  This distinction matters because it determines where legal responsibility sits and what rights apply to each person. Your customers who wish to exercise their data rights in relation to your Airdun-powered recovery activity should contact you directly as the controller; you may then contact us for assistance.
</Accordion>

<Accordion title="2. Data we process">
  Airdun processes the following categories of data:

  **Payment and subscription data** (sourced from Stripe via your authorisation):

  * Payment intent IDs, invoice IDs, and subscription IDs
  * Failure reasons and failure codes
  * Amount, currency, and billing dates
  * Payment method type (e.g., card brand, last four digits) — never full card numbers, CVCs, or full bank account numbers

  **Customer data** (sourced from Stripe):

  * Name
  * Email address
  * Phone number (where available, for SMS/WhatsApp recovery)
  * Country and language/locale

  **Recovery activity data** (generated by Airdun):

  * Sequence enrolment and step completion records
  * Message delivery and open events
  * Payment retry outcomes
  * Escalation and manual-action logs

  Airdun does **not** process full card numbers, CVCs, or full bank account details. All sensitive payment method data remains exclusively within Stripe's systems.
</Accordion>

<Accordion title="3. How we use your data">
  Airdun uses data for a single purpose: **recovering failed payments on behalf of merchants**.

  More specifically, we use the data described above to:

  * Identify failed or at-risk payments in your Stripe account
  * Enrol the relevant customers into the appropriate recovery sequence
  * Send recovery communications via email, SMS, WhatsApp, or in-app notifications
  * Retry payments at optimised intervals based on card-network signals
  * Generate analytics and reports showing recovery performance

  We do **not** use your data or your customers' data for advertising, profiling, selling to third parties, or any purpose unrelated to payment recovery. We do not place advertising cookies or third-party trackers on airdun.com.
</Accordion>

<Accordion title="4. Data isolation and confidentiality">
  Each merchant's data is logically isolated within Airdun's infrastructure. No other merchant can access, query, or interact with your workspace or your customers' data.

  Airdun staff access production data only under strict internal access controls, on a need-to-know basis, and for the purpose of providing support or maintaining the service. All staff with access to personal data are bound by confidentiality obligations.
</Accordion>

<Accordion title="5. Sharing with third-party processors">
  Airdun shares data with the following categories of sub-processors in order to deliver the service. All sub-processors are bound by data processing agreements.

  | Sub-processor        | Purpose                                                                         | Location          |
  | -------------------- | ------------------------------------------------------------------------------- | ----------------- |
  | **Stripe**           | Payment data access and retry execution                                         | US (SCCs apply)   |
  | **Postmark / Loops** | Transactional email delivery                                                    | US (SCCs apply)   |
  | **Twilio**           | SMS and WhatsApp message delivery                                               | US (SCCs apply)   |
  | **Google Cloud**     | Infrastructure and data storage                                                 | EU (Paris region) |
  | **Anthropic**        | AI-assisted message drafting (no data retained by Anthropic beyond the request) | US (SCCs apply)   |
  | **Monitoring tools** | Error tracking and uptime monitoring                                            | EU where possible |

  Airdun does not sell data to any third party or share data with sub-processors beyond what is necessary for the stated purpose.
</Accordion>

<Accordion title="6. Data security">
  Airdun applies the following security measures to protect personal data:

  * **Encryption in transit** — all data transmitted between clients, Airdun's services, and sub-processors uses TLS 1.2 or higher
  * **Encryption at rest** — all data stored in Airdun's infrastructure is encrypted at the storage layer
  * **Application-level encryption** — sensitive credentials and integration tokens are encrypted at the application layer in addition to infrastructure-level encryption
  * **Authentication** — Airdun delegates authentication to a dedicated identity provider; passwords are never stored by Airdun itself
  * **Role-based access control** — team member access within each workspace is governed by Owner, Administrator, and Member roles
  * **Logical data isolation** — each merchant workspace is partitioned at the data layer

  In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, Airdun will notify the relevant supervisory authority within 72 hours and affected data subjects without undue delay, as required by applicable law.
</Accordion>

<Accordion title="7. Data retention and deletion">
  Airdun retains personal data only for as long as necessary to provide the service and comply with legal obligations.

  * **Active accounts** — data is retained for the duration of your subscription
  * **Account closure** — all personal data associated with your account (including your customers' data) is deleted within **30 days** of your account closure date
  * **Legal retention requirements** — certain data (such as billing records) may be retained for longer periods where required by applicable law (e.g., French accounting law)
  * **Recovery activity logs** — anonymised aggregate statistics may be retained beyond the 30-day window for product analytics; these contain no personal data

  You may request early deletion of specific data by contacting **[hello@airdun.com](mailto:hello@airdun.com)**.
</Accordion>

<Accordion title="8. Your rights">
  If you are a merchant using Airdun, you have the following rights in relation to the personal data Airdun holds about you as controller:

  * **Right of access** — request a copy of the personal data we hold about you
  * **Right to rectification** — ask us to correct inaccurate or incomplete data
  * **Right to erasure** — ask us to delete your personal data (subject to legal retention requirements)
  * **Right to data portability** — receive your data in a structured, machine-readable format

  To exercise any of these rights, contact us at **[hello@airdun.com](mailto:hello@airdun.com)**. We will respond within 30 days.

  If you are a **customer of a merchant** using Airdun (i.e., your data was processed as part of a failed-payment recovery sequence), your rights should be directed to the merchant in the first instance, as they are the data controller for that processing.

  If you believe your rights have not been respected, you have the right to lodge a complaint with the **Commission Nationale de l'Informatique et des Libertés (CNIL)**, the French data protection supervisory authority: [www.cnil.fr](https://www.cnil.fr).
</Accordion>

<Accordion title="9. International data transfers">
  Airdun's primary infrastructure is hosted in the **European Union (Google Cloud, Paris region)**. No personal data is stored outside the EU by Airdun's own systems.

  Some sub-processors (including Stripe, Twilio, Postmark/Loops, and Anthropic) are based in the United States. Where data is transferred to these providers, Airdun ensures that appropriate safeguards are in place under Article 46 of the GDPR, specifically **Standard Contractual Clauses (SCCs)** approved by the European Commission.
</Accordion>

<Accordion title="10. Changes to this policy">
  Airdun may update this Privacy Policy from time to time to reflect changes in the service, applicable law, or our data practices. When we make material changes, we will notify you by email (to the address associated with your account) and update the "Last updated" date at the top of this page.

  Your continued use of Airdun after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you may cancel your account at any time.
</Accordion>

<Accordion title="11. Contact">
  For any questions, concerns, or rights requests relating to this Privacy Policy or Airdun's data practices, please contact:

  **Louis Rapp EI**
  63 route de Laoureaux
  31590 Lavalette
  France

  **Email:** [hello@airdun.com](mailto:hello@airdun.com)

  We aim to respond to all enquiries within 5 business days.
</Accordion>
