Privacy Policy

Last updated: March 17, 2026 — Recovix by Ceyhun Goksal, Auto-entrepreneur, France

This Privacy Policy explains how Recovix ("we", "us", operated by Ceyhun Goksal, auto-entrepreneur, France) collects, uses, and protects personal data in accordance with the General Data Protection Regulation (GDPR — Regulation EU 2016/679) and French data protection law (Loi Informatique et Libertés).

1. Data Controller

The data controller is:

Ceyhun Goksal — Auto-entrepreneur
Activity: SaaS — Recovix (recovix.io)
Country: France
Contact: contact@recovix.io

2. Data We Collect

Recovix collects and processes two categories of personal data:

A. Data about our Clients (SaaS founders who use Recovix)

Data	Purpose	Legal Basis	Retention
First name, last name	Account identification	Contract performance	Duration of account + 3 years
Email address	Authentication, invoices, service communications	Contract performance	Duration of account + 3 years
Stripe account ID	Connect to Stripe for payment recovery	Contract performance	Duration of account
Payment history (invoices)	Billing and accounting	Legal obligation	10 years (French accounting law)

B. Data about Clients' Customers (end-users whose payments failed)

Data	Purpose	Legal Basis	Retention
Email address	Sending recovery emails	Legitimate interest of the Client	Maximum 90 days after last recovery attempt
Stripe customer ID	Identifying the customer in Stripe	Contract performance	Maximum 90 days after last recovery attempt
Invoice amount and currency	Recovery tracking and billing	Contract performance	Maximum 90 days after last recovery attempt

Recovix acts as a data processor for Clients' customer data and as a data controller for Client account data.

3. How We Use Your Data

We use personal data strictly for the following purposes:

Providing and operating the Recovix service
Sending automated payment recovery emails to your customers on your behalf
Generating and sending invoices for our fees
Communicating service-related updates and notifications
Complying with legal and accounting obligations
Detecting and preventing fraud or abuse

We do not sell, rent, or share personal data with third parties for marketing purposes.

4. Data Sharing and Sub-processors

To deliver the Service, Recovix uses the following third-party processors:

Provider	Role	Data shared	Location
Supabase	Database hosting	Account data, payment records	EU (Frankfurt)
Stripe	Payment processing, Connect	Stripe account IDs, invoice data	EU / USA (SCCs)
Resend	Transactional email	Customer email addresses	EU
Vercel	Application hosting	Request logs	EU

All sub-processors are bound by GDPR-compliant data processing agreements. Transfers outside the EU are governed by Standard Contractual Clauses (SCCs).

5. Data Security

Recovix implements appropriate technical and organizational measures to protect personal data, including:

TLS encryption for all data in transit
Encrypted database storage (Supabase)
Row-level security (RLS) to isolate client data
API key rotation and access controls
OAuth-based authentication (no passwords stored in plain text)

In the event of a personal data breach, we will notify affected parties and the CNIL within 72 hours as required by GDPR Article 33.

6. Data Retention

Personal data is retained only for as long as necessary:

Client accounts: Duration of the contractual relationship + 3 years for disputes
Billing records: 10 years as required by French accounting law
End-customer data (emails, Stripe IDs): Maximum 90 days after the last recovery attempt or account termination, whichever comes first
Server logs: Maximum 30 days

7. Your Rights (GDPR)

Under GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of the data we hold about you
Right to rectification (Art. 16): Request correction of inaccurate data
Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten")
Right to restriction (Art. 18): Request restriction of processing
Right to portability (Art. 20): Receive your data in a structured, machine-readable format
Right to object (Art. 21): Object to processing based on legitimate interests
Right to withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at contact@recovix.io. We will respond within 30 days. You also have the right to lodge a complaint with the French supervisory authority, the CNIL, at cnil.fr.

8. Cookies

Recovix uses only strictly necessary cookies for authentication (session management via Supabase). We do not use tracking, advertising, or analytics cookies. No consent banner is required for strictly necessary cookies under GDPR.

9. Children's Privacy

The Service is intended for business use only and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email at least 14 days before they take effect. The most current version is always available at recovix.io/privacy.

11. Contact

For any privacy-related questions or to exercise your rights:

Ceyhun Goksal — Recovix
Email: contact@recovix.io
Website: recovix.io