Legal

Privacy Policy.

Version 2026-05-17 · Effective 17 May 2026

1. Who we are

Winback (“we”, “us”) is operated by Axiomis OÜ trading as Winback, a company registered in Estonia under commercial registry number 17493372, with registered office at Sepapaja tn 6, 15551 Tallinn, Estonia. Our service helps subscription businesses recover lost revenue from two sources: payment failures(subscriptions cancelled by Stripe after a card decline) and deliberate cancellations (subscribers who chose to leave). You can reach us at privacy@winbackflow.co.

2. Our role

When you sign up as a customer of Winback, we act as a data controller for your account data (name, email, company, billing). When we process the personal data of your churned subscribers on your behalf, we act as a data processor under our Data Processing Agreement.

3. What we collect

For our customers (controllers):

  • Account data: name, work email, hashed password, IP address at signup.
  • Billing data: Stripe customer ID, subscription status, invoices.
  • Configuration: Stripe OAuth token (encrypted), product changelog text.

For your subscribers (data subjects we process on behalf of our customers):

  • Identifiers: email address, first name (if available), Stripe customer ID.
  • Subscription metadata: plan, MRR, tenure, status (active / cancelled / past-due).
  • For deliberate cancellations: cancellation reason code and any free-text comment the subscriber provided to your cancel flow.
  • For payment failures: the Stripe decline code (e.g. expired card, insufficient funds), the timestamp of each retry attempt, and the timestamp the card was successfully updated.
  • Reply content if the subscriber responds to one of our emails.

4. Lawful basis

For our own customer relationship, we rely on contract (Art. 6(1)(b) GDPR). For processing churned-subscriber data on behalf of our customers, our customers rely on legitimate interest (Art. 6(1)(f)) — re-engaging a recently lapsed customer with whom they had an existing relationship. Subscribers can opt out at any time via the unsubscribe link in every email.

5. How we use data

We process your subscribers’ personal data for these specific purposes:

  • Payment-recovery emails.When a card payment fails, send a short decline-code-aware sequence (typically up to three messages, timed to lead Stripe’s automatic retries) with a one-tap link to update the payment method. These emails are rule-based and not AI-drafted.
  • Cancellation classification and win-back emails. Classify the cancellation reason using Anthropic’s Claude model, draft a personalised reply in your approved voice, and send it via Resend.
  • Re-engagement when you ship something. When you publish a product improvement in your dashboard, match it against past cancellation reasons from the last 12 months and send one targeted email to subscribers whose stated reason matches what you just shipped.
  • Handle inbound replies, unsubscribes, and DSRs. Capture replies for your dashboard, honour one-click unsubscribes immediately, and process data-subject requests received via the controllers we serve.
  • Billing our customers.Charge a single flat monthly fee priced by the customer’s own MRR (Starter $99 / Growth $299 / Scale $699 / Enterprise sales-handled). No per-recovery charges, no usage caps.

6. Automated decision-making (Art. 22)

We use Anthropic’s Claude model to classify cancellation reasons, cluster recurring themes across recent cancellations, and draft cancellation-winback emails. This processing is nota decision producing legal or similarly significant effects on the subscriber — the output is an email the subscriber can ignore or unsubscribe from in one click.

The Winback customer approves the email tone, voice, and template structure during onboarding. After that, individual cancellation-winback emails are sent automatically (typically within about one minute of the cancellation event) without per-message human review. The Winback customer can pause sending at any time from Settings, edit the template, or handle an individual subscriber themselves. Payment-recovery emails are not AI-drafted: they are rule-based decline-aware copy with no per-message AI involvement.

We run Claude in zero-retention mode: Anthropic does not store the inputs or outputs after the request completes, and does not use them to train models.

7. Subprocessors

We use a small number of vetted subprocessors (Vercel, Neon, Anthropic, Resend, Stripe). See the live list at /subprocessors.

8. International transfers

We are established in the European Economic Area (Estonia), and core processing happens within the EEA. Some of our subprocessors (Anthropic, Resend, and parts of Stripe) are based in the United States. Transfers to those subprocessors rely on the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914), incorporated into our Data Processing Agreement, plus supplementary technical measures (TLS 1.2+ in transit, AES-128-GCM at rest for sensitive secrets, and least-privilege access controls).

9. Retention

We retain subscriber records for as long as the Winback customer’s workspace exists, so that performance metrics (recovered subscribers, revenue saved) remain accurate over time. When a customer deletes their Winback workspace, we delete the associated subscriber data within 30 days, subject to retention obligations under applicable law. Customers can request earlier deletion of specific subscriber records at any time by emailing privacy@winbackflow.co.

Account data (your name, login email, billing records) is retained for the duration of the customer relationship plus the period required for tax, accounting, and dispute obligations under Estonian law (typically 7 years for accounting records).

10. Your rights

You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to lodge a complaint with your data protection authority. To exercise any of these rights, email privacy@winbackflow.co. We respond within 30 days.

11. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Stripe OAuth tokens are encrypted with AES-128-GCM. Access to production systems is restricted to the founding team and audited.

12. Cookies

We use only essential cookies required to keep you signed in (a session cookie set by our auth library) and to remember the dashboard tab you last opened. We do not set advertising, analytics, or third-party tracking cookies. You do not need to accept a cookie banner to use the Service.

13. California residents (CCPA / CPRA)

If you are a California resident, you have the right to know what personal information we collect about you, to access or delete it, to correct inaccuracies, and to opt out of any “sale” or “sharing” of personal information for cross-context behavioural advertising. We do not sell or share personal information for such purposes — the data we process is used solely to deliver the Winback Service to you or to the Winback customer who controls your data. To exercise any of these rights, email privacy@winbackflow.co.

14. Children’s privacy

Winback is a business-to-business service intended for use by subscription businesses and their adult subscribers. The Service is not directed to children under 16 and we do not knowingly collect personal information from anyone under 16. If you believe we have inadvertently collected personal data from a minor, email privacy@winbackflow.co and we will delete it.

15. Changes

If we materially update this policy, we will notify active customers by email at least 30 days before the change takes effect.