Privacy Policy

Last updated: July 12, 2026

1. Introduction

ChurnNote (“we”, “us”, “our”) operates the churnnote.com website and the ChurnNote SaaS application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.

Two kinds of people are covered here: account holders (founders who sign up for ChurnNote) and their customers(people whose billing events and email replies ChurnNote processes on the account holder’s behalf). For account-holder data, ChurnNote decides how data is used (we act as the controller). For your customers’ data, we process it on your instructions to provide the service (we act as a processor); you remain responsible for having a lawful basis to email your cancelled customers.

2. Information We Collect

Account Information

  • Name and email address (via Google sign-in or an email sign-in link)
  • Profile picture, when provided by your Google account

Payment Provider Data

  • Stripe or Lemon Squeezy API keys you paste in (encrypted at rest with AES-256-GCM)
  • Webhook signing secrets for verifying billing events (encrypted at rest)
  • Subscription lifecycle events from your connected provider: cancellations, failed payments, renewals, and the customer name, email, and plan details attached to them

Email Data

  • Emails sent on your behalf to your cancelled customers (subject and body are stored so you can see what was sent)
  • Replies received from your customers (captured through our inbound email address)
  • Sender configuration (your name, reply-to address, company name)
  • If you configure custom SMTP: your SMTP host, port, and username, plus your SMTP password encrypted at rest. Your emails then leave through your own SMTP provider.
  • Delivery events from our email provider (delivered, bounced, marked as spam) and the resulting do-not-contact records

Usage Data

  • Server log data (IP address, browser type, pages visited)
  • Aggregated page analytics via Vercel Analytics and Speed Insights
  • Feature usage within the application

3. How We Use Your Information

  • To provide and maintain the ChurnNote service
  • To send exit, follow-up, win-back, and payment-recovery emails to your customers on your behalf
  • To capture and categorize customer replies
  • To honor unsubscribes, bounces, and spam complaints by blocking future email to those recipients
  • To generate digest reports for you
  • To process your subscription payments via Lemon Squeezy
  • To improve and operate the service, including deliverability monitoring
  • To communicate with you about your account

4. AI Processing

We use OpenAI’s API (currently the GPT-4o-mini model) to draft exit, follow-up, and win-back emails and to categorize customer replies. The content sent to OpenAI is limited to what those tasks need: the reply text or conversation thread, the customer’s first name and plan context, and your sender details. Per OpenAI’s API terms, data submitted through the API is not used to train their models. No other AI provider currently receives your data; if that changes, this policy will be updated first.

5. Data Storage and Security

  • Application data is stored in Supabase (managed Postgres hosted on AWS)
  • Billing API keys, webhook secrets, and SMTP passwords are encrypted at rest (AES-256-GCM); they are never included in exports, logs, or support tooling
  • Row Level Security ensures accounts can only access their own data
  • Billing webhooks are only processed after their cryptographic signatures verify
  • All connections use HTTPS/TLS encryption in transit
  • We do not sell, rent, or share your data with third parties for marketing purposes

6. Subprocessors and Third-Party Services

These services process data to operate ChurnNote:

  • Supabase — authentication and database hosting (receives all application data; infrastructure runs on AWS)
  • Vercel — application hosting, deployment, and aggregated site analytics (Vercel Analytics, Speed Insights)
  • Resend — outbound email delivery, inbound reply capture, and delivery/bounce/complaint events (receives recipient addresses and message content)
  • OpenAI — email drafting and reply categorization (receives reply text and the customer/sender context described in section 4)
  • Lemon Squeezy — ChurnNote’s own subscription billing (receives your account email and payment details; we never see your card number)
  • Stripe or Lemon Squeezy (your connected account) — we read subscription and cancellation data from the provider you connect, using the API key you supply
  • Your SMTP provider (optional) — if you enable custom SMTP, your customer emails are delivered through the provider you configure, under that provider’s terms
  • ImprovMX — forwards mail sent to our public contact addresses (hello@, support@, legal@churnnote.com) to our inbox (receives the content of messages you send to those addresses)
  • cron-job.org — triggers scheduled background jobs by calling our API on a timer; it receives no personal data, only the endpoint URL and an authorization token

Each service has its own privacy policy governing its handling of data.

7. Data Retention

We retain your account data, customer records, and email history for as long as your account exists. Webhook event logs and email delivery logs are kept for debugging and deliverability monitoring while your account is active. When you delete your account (section 8), workspace data is removed as part of that process. Unsubscribe, bounce, and spam-complaint records are retained even after account deletion, because we are required to keep evidence that a recipient opted out so they are never emailed again. A minimal audit entry recording the deletion itself is also retained.

8. Your Rights and Controls

You can, at any time:

  • Export your data — Settings → Data & privacy → “Export my data” downloads your workspace data as JSON. Exports never contain billing keys, webhook secrets, or passwords.
  • Delete your account — Settings → Data & privacy → “Delete account”. Deletion stops all ChurnNote emails and background processing immediately, removes your customer data, email history, provider connections, and encrypted credentials, cancels your ChurnNote subscription, and disables your login. Cleanup runs when you confirm; if any step fails, the account is marked accordingly and processing stays stopped while we finish it.
  • Disconnect your payment provider — Settings → Provider. This also removes the webhook we registered in your provider account. You can also revoke the API key from your provider’s dashboard at any time; ChurnNote then loses all access.
  • Request access to or correction of your personal data by emailing us
  • Cancel your ChurnNote subscription at any time

Your customers can opt out directly: re-engagement emails ChurnNote sends include an unsubscribe link and one-click unsubscribe headers. An unsubscribe, a permanently failed delivery, or a spam report immediately blocks all future ChurnNote email to that recipient from your workspace.

9. Cookies

We use essential cookies for authentication and session management. We do not use advertising or tracking cookies. See our Cookie Policy for details.

10. Children's Privacy

ChurnNote is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the “Last updated” date.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us at hello@churnnote.com.