R
RefundFlow
Start free scan→
Legal Β· Last updated 2026-05-17

Privacy Policy

We process bank statements in memory and never store them. This document explains exactly what we collect, why, and how to delete it.

1. Who we are

RefundFlow ("we", "us") is operated by an independent developer based in Portugal. For billing and tax purposes our merchant of record is Polar Software, Inc. ("Polar") β€” see Section 7.

2. What we collect

2.1 Account data

  • Email address, display name, hashed password (or OAuth provider ID for Google sign-in)
  • Optional support email and reminder preferences

2.2 Service data (provided by you)

  • Subscription records you create or import (service name, price, billing date)
  • Refund requests you submit (service, amount, reason, contact email)
  • Bank statement files you upload β€” processed in memory only, deleted within seconds of parsing

2.3 Technical data

  • Browser, OS, device type, IP-derived country (via Heap analytics)
  • Pages visited, clicks on key actions (paywall, upload, refund) β€” anonymized after 30 days

2.4 Billing data

Card numbers are never stored on our servers. Polar handles all card data directly under PCI-DSS Level 1. We only receive a tokenised customer ID and subscription status.

3. Why we collect it

  • To run the product (auditing statements, sending reminders, submitting refund requests)
  • To keep your account secure (authentication, fraud detection)
  • To improve the product (anonymous usage analytics)
  • To meet legal obligations (tax reporting, court orders if any)

4. Legal basis (GDPR Art. 6)

  • Contract: processing required to provide the service
  • Legitimate interest: anonymized analytics, fraud prevention
  • Consent: marketing emails (opt-in only); withdraw anytime
  • Legal obligation: tax and accounting records (7 years)

5. How long we keep your data

  • Bank statements: deleted within 60 seconds of parsing
  • Account & service data: retained while your account is active, plus 30 days after deletion request
  • Billing records: 7 years (Portuguese tax law)
  • Analytics: anonymized after 30 days

6. Your rights

Under GDPR / UK GDPR / CCPA you have the right to:

  • Access a copy of your data
  • Correct inaccurate data
  • Request deletion (we honour within 30 days unless legally required to keep)
  • Object to processing
  • Data portability (export in JSON)
  • Lodge a complaint with your local data protection authority

To exercise any right, email support@pandaentry.com. We respond within 30 days at no cost.

7. Sub-processors

We use the following sub-processors. Each is bound by a DPA at least as protective as this policy.

  • Polar Software, Inc. β€” payment processing & merchant of record (USA, DPF-certified)
  • Vercel Inc. β€” hosting (USA, DPF-certified)
  • Neon Inc. β€” managed PostgreSQL database (USA, SCC-bound)
  • OpenAI / Anthropic β€” LLM inference for statement parsing & refund email drafting (zero-retention API tier)
  • Heap Inc. β€” product analytics (USA, DPF-certified)
  • Resend / Nodemailer SMTP β€” transactional email delivery

8. International transfers

Data may be transferred to the US (Polar, Vercel, Heap, OpenAI). Transfers rely on EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

9. Security

  • All traffic over TLS 1.3
  • Data at rest encrypted with AES-256
  • Strong password hashing (bcrypt)
  • JWT session tokens with 7-day expiry
  • Annual SOC-2 Type II audit (in progress)

10. Changes to this policy

We will email all active users at least 30 days before any material change. Minor edits (typos, clarifications) are reflected via the "last updated" date.

11. Contact

Email support@pandaentry.com. We reply in English or Portuguese.