Acceptable Use Policy.
Version 2026-05-17 · Effective 17 May 2026
This policy governs what Winback customers (“you”) may and may not do with the Winback service. Breach of this policy is grounds for immediate account suspension without refund, and — where legal thresholds are crossed — reporting to the relevant authorities.
What Winback is for
Sending a personalised, one-time win-back email from your business’s real identity to a subscriber who cancelled a paid subscription with you on Stripe. The email must be relevant to the cancelled subscription and must carry your return-route reply address.
What you must not do
- Spam.Winback sends one email per cancellation. You may not use Winback’s sending domain to send bulk broadcasts, newsletters, sequences, promotions, or any message to subscribers who did not cancel a subscription with you through Stripe.
- Scraped or purchased lists. The only legitimate input to Winback is a Stripe cancellation event you received through your own, consented customer relationship. Importing addresses from any other source is a terminating breach.
- Pretending to be someone else.The “From” name in a win-back email must be a real person at your business. You may not impersonate a third party, a Stripe employee, or Winback itself.
- Sending to unsubscribers. Every Winback email carries
List-Unsubscribeplus a visible link. Unsubscribes are honoured automatically within seconds. You may not circumvent, disable, or override this. - Illegal, harmful, or hateful content. The standard prohibitions: content that is unlawful, threatens or harasses a person, sexualises minors, incites violence, or facilitates fraud, money laundering, unlicensed gambling, unlicensed financial services, weapons trafficking, illegal drugs, CSAM, or terrorism.
- Regulated industries without compliance. Healthcare and financial services subscriptions may use Winback only if your own compliance obligations allow automated email follow-up at the moment of cancellation.
- Abusing Stripe.You may not use Winback to automate refunds, create subscriptions without the subscriber’s click-through, bypass Stripe’s own terms, or disguise the origin of a charge.
- Sharing credentials. Your Stripe OAuth connection, Winback login, and API tokens are personal to your business. You may not share them.
Spam-complaint monitoring
We monitor complaint rate on our sending domain continuously. If a single Winback customer’s complaint rate reaches a level that puts deliverability at risk, we pause sending for that customer and email the founder. Repeat issues end in termination. Industry benchmarks (Gmail, Microsoft, Apple) put the safe ceiling at roughly 0.1% — we aim to act before any account approaches that.
Reporting abuse
If you believe Winback is being used against you or against a subscriber — including as a recipient of a Winback email that looks like spam — email abuse@winbackflow.co. We triage within 1 business day.
Enforcement
Breach of this policy is grounds to:
- Pause your Winback account immediately;
- Terminate your Winback account with no refund for the current billing period;
- Report to the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee) as our lead supervisory authority, to your own EU/EEA national supervisory authority where applicable, to the European Data Protection Board for cross-border matters, and to Stripe or law enforcement where required.
We will tell you why we took action, unless legally prevented from doing so.
Changes
We update this policy as abuse vectors change. Material changes are emailed to account owners 14 days before they take effect, except for changes that address an active abuse incident — those take effect immediately.