LostChurn Docs
Security & Compliance

Data Privacy

How LostChurn protects your data — encryption, GDPR compliance, sub-processors, data retention, and how to request exports or erasure.

LostChurn is built to protect your customers' data at every layer. This page explains our data protection practices, your rights as a data controller, and how to exercise them.

Encryption

In Transit

All data transmitted to and from LostChurn is encrypted using TLS 1.3. This includes:

  • Webhook payloads from your payment processor
  • Dashboard and API requests
  • WebSocket connections to SpacetimeDB
  • Email and SMS delivery to third-party providers

At Rest

LostChurn uses AES-256-GCM (authenticated encryption) to protect personally identifiable information stored in the database:

FieldProtection
Customer emailAES-256-GCM encrypted
Customer nameAES-256-GCM encrypted
Merchant emailAES-256-GCM encrypted
Audit log IP addressesSHA-256 hashed (irreversible)

Encryption keys are versioned and can be rotated without downtime. API keys are stored as SHA-256 hashes — the raw key is never persisted.

LostChurn never stores full card numbers or CVVs. Payment card data remains with your payment processor.

GDPR Compliance

LostChurn acts as a data processor on your behalf. You remain the data controller and determine what customer data is sent to LostChurn via your payment processor's webhook payloads.

Data Processing Addendum (DPA)

A Data Processing Addendum is available for all customers. For self-serve plans, the DPA is incorporated into the Terms of Service and auto-accepted at signup. Enterprise customers can request a separately executed DPA.

The DPA covers:

  • Scope and purpose of data processing
  • Security obligations and breach notification (72-hour SLA)
  • Sub-processor management and change notification
  • Data subject rights handling
  • International data transfer mechanisms
  • Data retention and deletion procedures

Contact privacy@lostchurn.com for a copy of the full DPA.

EU-US Data Privacy Framework

LostChurn participates in the EU-US Data Privacy Framework (DPF), providing an adequate level of data protection recognized by the European Commission. Our DPF certification is supplemented by Standard Contractual Clauses (SCCs) embedded in the DPA as a secondary transfer mechanism.

SOC 2 Certification

LostChurn is pursuing SOC 2 Type I certification, with a target completion in Q3 2026. Our current security posture includes:

  • 12 security and compliance policies covering access control, encryption, incident response, change management, vendor management, and data retention
  • Continuous vulnerability scanning with Semgrep, Snyk, Dependabot, and Socket.dev
  • Automated secret detection with gitleaks
  • Infrastructure on Cloudflare with built-in DDoS protection and WAF

Sub-Processors

LostChurn uses the following third-party sub-processors to deliver the service:

Sub-ProcessorPurposeLocation
Cloudflare, Inc.Infrastructure, CDN, edge computingGlobal / US
SpacetimeDB (ClockworkLabs)Database hostingUS
Clerk, Inc.Authentication and user managementUS
Stripe, Inc.Payment processing integrationUS
Resend, Inc.Email deliveryUS
Twilio, Inc.SMS deliveryUS
Cloudflare Workers AIAI inference (no PII processed)Global (edge)

We notify customers at least 30 days in advance before engaging a new sub-processor. You may object to any new sub-processor within that period.

Data Retention and Deletion

LostChurn retains data only as long as needed to provide the service:

Data TypeRetention Period
Customer identifiers (name, email)Active subscription + 90 days
Payment metadata (last four, card brand)Active subscription + 90 days
Transaction records (invoices, decline codes)Active subscription + 1 year
Communication logs (delivery status, opens)Active subscription + 1 year
Audit logs2 years

After your subscription ends, all customer data is automatically purged within 30 days.

Data Export

You can export your data at any time:

  • Dashboard: Navigate to Settings > Privacy & Compliance and click Export Data
  • API: GET /api/v1/customers/:id/export

Exports are delivered as encrypted JSON files stored temporarily in R2 (AES-256-GCM encrypted at rest).

Data Erasure

To delete a specific customer's data (GDPR Article 17 — Right to Erasure):

  • Dashboard: Navigate to the customer's profile and click Delete Customer Data
  • API: DELETE /api/v1/customers/:id

Erasure executes a 12-phase cascade that removes or anonymizes all associated records including communication logs, recovery states, retry attempts, campaign enrollments, and attribution records. Erasure is completed within 30 days per GDPR requirements.

Data erasure is irreversible. Anonymized aggregate metrics (e.g., recovery rates) are retained for reporting but cannot be linked back to any individual.

Questions

For data privacy inquiries, DPA requests, or to exercise your data subject rights, contact us at privacy@lostchurn.com.

GDPR & Data Privacy

LostChurn's data retention policies, right to erasure, data export capabilities, and GDPR compliance practices.

Security Compliance

LostChurn's security compliance posture, certifications, vendor security, and data protection controls.

On this page

EncryptionIn TransitAt RestGDPR ComplianceData Processing Addendum (DPA)EU-US Data Privacy FrameworkSOC 2 CertificationSub-ProcessorsData Retention and DeletionData ExportData ErasureQuestions