Privacy Policy

Account Information

When you create an account, we collect your name, email address, company name, and password. Authentication is handled by our identity provider, Clerk. We also collect your role and company size to personalize your experience.

Customer Data You Provide

You may upload customer data (names, emails, MRR, usage metrics, support ticket counts, and payment failure history) for churn analysis. This data is stored securely and processed solely for the purpose of providing our churn prevention services. You retain full ownership of this data at all times.

Payment Information

Payment processing is handled entirely by Stripe. We do not store, process, or have access to your full credit card numbers. Stripe may collect and store payment information in accordance with their own privacy policy. We only receive limited information from Stripe, such as the last four digits of your card and billing address, for receipt and support purposes.

Usage and Device Data

We automatically collect information about how you interact with our services, including IP addresses, browser type, operating system, pages visited, features used, timestamps, and referring URLs. This data is used to improve our services, maintain security, and diagnose technical issues.

Communications

If you contact us via email, support chat, or our contact form, we retain the contents of those communications along with your contact information for support and record-keeping purposes.

We use the information we collect for the following purposes:

• Provide, maintain, and improve our churn prediction and intervention services
• Train and improve our AI risk-scoring models using aggregated, anonymized patterns (never individual customer records — see AI section below)
• Process transactions and manage your subscription billing
• Send service-related communications, including save reports, intervention summaries, and billing notices
• Detect, prevent, and address fraud, security issues, and technical problems
• Comply with legal obligations and enforce our terms
• Maintain audit logs for SOC 2 compliance
• Analyze usage patterns to improve user experience and product features

We do not sell your personal information. We do not share your data with third parties for their own marketing purposes.

How We Process Data with AI

ChurnRate.io uses artificial intelligence and machine learning to analyze customer behavior patterns, predict churn risk, and generate personalized intervention emails. When you upload customer data, our AI models process it to:

• Calculate individual customer risk scores
• Identify behavioral signals correlated with churn
• Generate tailored intervention email copy using large language models
• Track and attribute customer saves to specific interventions

Model Training and Your Data

We do not use your raw customer data to train our machine learning models. Our churn prediction models are trained on aggregated, anonymized statistical patterns derived from platform-wide data. No individual customer records, names, emails, or identifiable information are used in model training. You may opt out of contributing anonymized patterns to model improvement by contacting us at privacy@churnrate.io.

Third-Party AI Providers

We use OpenAI and Anthropic APIs for email generation. When generating intervention emails, we send minimal contextual data (risk factors, product category, tone preferences) to these providers. We never send customer names, emails, or other personally identifiable information to third-party AI providers. Both providers have committed to not training on API inputs under our enterprise agreements.

Automated Decision-Making (GDPR Art. 22)

Our service involves automated processing to generate risk scores and intervention recommendations. However, these automated outputs serve as recommendations — you retain full control over whether to send any intervention email. No fully automated decisions with legal or similarly significant effects are made without human review. You have the right to request human review of any automated assessment by contacting privacy@churnrate.io.

Your data is stored on secure cloud infrastructure provided by Neon (PostgreSQL), hosted in the United States. We implement comprehensive security measures including:

• Encryption in transit — All data transmitted between your browser and our servers uses TLS 1.2 or higher
• Encryption at rest — All stored data is encrypted using AES-256 encryption
• Access controls — Role-based access control (RBAC) with least-privilege principles for all team members
• Audit logging — Comprehensive logging of all data access and modifications
• Regular security reviews — Periodic vulnerability assessments and penetration testing
• SOC 2 compliance program — Controls designed to meet Trust Services Criteria for security, availability, and confidentiality
• Automated backups — Daily database backups with point-in-time recovery capability

In the event of a security incident, we follow our incident response plan which includes immediate containment, investigation, and notification procedures.

We use the following sub-processors that may process your data. We only share the minimum data necessary for each service to function and maintain data processing agreements with each provider.

Each provider maintains their own privacy policies and security certifications. We review the security posture of our sub-processors annually and will notify you of any material changes to this list.

We retain different categories of data for different periods:

• Account data — Retained for as long as your account is active, plus 30 days after account deletion for recovery purposes
• Customer data — Retained for the duration of your active subscription plus 30 days after cancellation or data deletion request
• Audit logs — Retained for 1 year for SOC 2 compliance, then automatically purged
• Usage analytics — Retained for 2 years in aggregated form
• Support communications — Retained for 3 years for service quality and legal purposes
• Billing records — Retained for 7 years to comply with tax and financial reporting obligations

You may request deletion of your data at any time through your Data & Privacy page or by contacting privacy@churnrate.io. We will process deletion requests within 30 days.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation:

• Right of Access (Art. 15) — Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16) — Correct inaccurate or incomplete personal data
• Right to Erasure (Art. 17) — Request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing (Art. 18) — Request that we limit how we use your data
• Right to Data Portability (Art. 20) — Export your data in a structured, machine-readable JSON format
• Right to Object (Art. 21) — Object to processing of your data, including for direct marketing
• Right Not to Be Subject to Automated Decisions (Art. 22) — Request human review of automated assessments

You can exercise your data portability and erasure rights directly from your Data & Privacy page. For all other requests, contact us at privacy@churnrate.io. We will respond within 30 days.

Legal Basis for Processing: We process your data based on (a) your consent, (b) performance of our contract with you, (c) our legitimate interests in operating and improving our services, and (d) compliance with legal obligations. You have the right to withdraw consent at any time without affecting the lawfulness of prior processing.

If you believe we have not adequately addressed your data protection concerns, you have the right to lodge a complaint with your local data protection supervisory authority.

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know — You can request the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the third parties with whom we share it
• Right to Delete — You can request that we delete personal information we have collected from you, subject to certain exceptions
• Right to Correct — You can request that we correct inaccurate personal information
• Right to Opt-Out of Sale/Sharing — You have the right to opt out of the sale or sharing of your personal information. However, we do not sell or share personal information as defined under the CCPA/CPRA
• Right to Limit Use of Sensitive Information — You can limit how we use sensitive personal information (we only use it for service provision)
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA/CPRA rights

To exercise these rights, contact us at privacy@churnrate.io or through your Data & Privacy page. We will verify your identity before processing your request and respond within 45 days.

California "Shine the Light" Law: We do not disclose personal information to third parties for their direct marketing purposes. If this practice changes, we will provide you with the ability to opt out.

ChurnRate.io is operated from the United States. If you access our services from outside the United States, your personal data will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses (SCCs) — We use the European Commission's approved Standard Contractual Clauses as the legal mechanism for cross-border data transfers
• Data Processing Agreements — We maintain DPAs with all sub-processors that handle personal data from the EEA/UK
• Supplementary measures — Including encryption in transit and at rest, access controls, and regular security assessments

You may request a copy of the Standard Contractual Clauses we use by contacting privacy@churnrate.io.

We use a minimal set of cookies required for our service to function. We do not use third-party advertising or behavioral tracking cookies.

You can manage your cookie preferences at any time through the cookie consent banner on our site or by adjusting your browser settings.

Do Not Track Signals

We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, we limit data collection to what is strictly necessary for service operation. Note that because we do not use third-party tracking cookies, our default behavior already aligns with DNT expectations.

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify affected users within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify relevant supervisory authorities within the same timeframe when required
• Provide clear details about the nature of the breach, the data affected, the likely consequences, and the measures taken to mitigate harm
• Comply with applicable state breach notification laws in the United States, including but not limited to the California Data Breach Notification Law

Notifications will be delivered via email to the address associated with your account. We also maintain an internal incident response plan that is reviewed and tested regularly.

Our services are designed for business use and are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take immediate steps to delete that information.

If you believe that a child under 16 has provided personal information to us, please contact us at privacy@churnrate.io so we can take appropriate action.

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• Material changes — We will notify you at least 30 days in advance by email and through a prominent notice on our website. Material changes include new data collection practices, new sub-processors, or changes to your rights.
• Non-material changes — Minor clarifications, formatting, or wording updates may be made without advance notice. The "Last updated" date will always reflect the most recent revision.

Your continued use of our services after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account.

If you have questions about this privacy policy, your data, or our privacy practices, contact us at:

• Privacy inquiries: privacy@churnrate.io
• General inquiries: hello@churnrate.io
• Website: churnrate.io/contact

We aim to respond to all privacy-related inquiries within one business day.

For the purposes of applicable data protection legislation:

• Data Controller: ChurnRate.io acts as the data controller for personal data related to your account, usage data, and communications with us.
• Data Processor: ChurnRate.io acts as the data processor for the customer data you upload to our platform for churn analysis. You, as our customer, are the data controller for this data.

Enterprise customers may request a Data Processing Agreement (DPA) that formalizes our obligations as a data processor. Contact legal@churnrate.io to request a DPA.