Privacy Policy

Recoup Systems Inc.(“Recoup”, “we”, “our”, “us”) is the company responsible for information collected through the Recoup service at recoup.cash and related applications (the “Service”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have.

Recoup acts as a data processor with respect to Customer Data processed on behalf of its users, and as a data controller with respect to information collected for its own business operations (such as billing, account management, and analytics).

This policy applies in addition to our Terms of Service. If you do not agree with this policy, please do not use the Service.

“Customer Data” means any data related to your customers, including names, contact information, invoices, payment records, and other information imported from QuickBooks Online or otherwise provided by you to the Service.

From you directly

• Name, business name, industry, email, business phone, and primary contact details provided during onboarding.
• Tone preference, send-from settings, approval mode, Executive review threshold, default deposit percentage, and other configuration you set inside the Service.
• Billing information. Card details are collected and processed by our payment processor; we store only a reference token, the last four digits, the expiration date, and the cardholder name.
• Support correspondence and feedback you send us.

From QuickBooks Online (via OAuth 2.0 read access)

• Your company profile, company ID (Realm ID), and currency.
• Customer records: names, contact emails, phone numbers, billing and shipping addresses.
• Invoices: invoice numbers, line items, amounts, balances, due dates, and payment terms.
• Payments and credit memos: dates, amounts, methods, and application to invoices.
• Aggregated AR aging snapshots taken at connection and on an ongoing basis.

From Google (via OAuth, when you connect your Gmail account)

• Authentication data: your email address and basic profile information (name, profile picture) when you sign in with Google.
• Email sending authorization: OAuth access and refresh tokens that allow Recoup to send emails on your behalf from your connected Gmail address.
• Metadata about emails sent through the Service (timestamps, recipients, delivery status) for operational and audit purposes.

Recoup does notread, access, forward, or share the contents of your Gmail inbox. Replies to emails Recoup sends are routed to Recoup's inbound email infrastructure via a custom Reply-To address, not via any read access to your Gmail account.

From Microsoft (via OAuth, when you connect your Outlook account)

• Authentication data: your email address and basic profile information (name, profile picture) when you sign in with Microsoft.
• Email sending and processing authorization: OAuth access and refresh tokens that allow Recoup to send emails on your behalf from your connected Outlook address, read replies to those emails in your Outlook inbox, and organize those reply threads within your mailbox.
• Metadata about emails sent and received through the Service (timestamps, recipients, delivery status, reply content relevant to invoice communications).

Automatically, when you use the Service

• IP address, browser type and version, operating system, device identifier, and time zone.
• Usage events (pages viewed, features used, actions taken) for debugging, abuse prevention, and product improvement.
• Server logs recording requests, response codes, and error traces.

Sensitive Personal Data — Not Intended

The Service is not intended to process sensitive personal information such as Social Security numbers, financial account credentials, health information, or government identification numbers, and users are instructed not to provide such information.

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Generate AI-drafted communications on your behalf. Depending on your account settings, these may be queued for your manual review and approval, or automatically sent based on the rules and thresholds you define.
• Send invoice reminders, updates, and optional follow-ups to your customers at your direction via email (through Recoup's infrastructure or, when you connect your Gmail or Outlook account, from your own email address), SMS, and physical mail. SMS messages sent through the Service include opt-out instructions (recipients may reply “STOP” to unsubscribe at any time). Message and data rates may apply to recipients. You are responsible for ensuring that SMS communications comply with all applicable laws and carrier requirements, including the Telephone Consumer Protection Act (TCPA) and CTIA guidelines.
• Receive and process replies to Recoup-sent emails for the purpose of detecting customer responses, updating invoice status, pausing follow-up sequences where appropriate, and generating contextually appropriate follow-up messages.
• For Outlook users only: organize Recoup-handled email threads within your Outlook mailbox (for example, by moving handled reply threads to a dedicated “Recoup” folder and marking processed messages as read) to minimize inbox clutter.
• Produce analytics and dashboards for you (outstanding AR, DSO, collection rate).
• Process billing and respond to support requests.
• Secure the Service, detect and prevent abuse, and comply with legal obligations.

Your compliance responsibilities

You are responsible for ensuring that any communications sent through the Service comply with applicable laws and regulations, including those governing email (such as CAN-SPAM), SMS (such as the Telephone Consumer Protection Act and Florida Telephone Solicitation Act), and consumer communications more broadly. You represent and warrant that you have obtained any required consents from your customers before initiating communications through the Service.

Recoup uses the Anthropic Claude API to generate message drafts. We follow the principle of data minimization, sending only the minimum context required to draft a message — typically the relevant invoice, customer name and balance, your tone setting, and recent communications history on that invoice.

When we send data to Anthropic, we operate under Anthropic's commercial API terms, which (as of the effective date of this policy):

• Do notuse your inputs or outputs to train generative models, per Anthropic's published policy for commercial API customers.
• Retain inputs and outputs only for the limited period required for trust-and-safety and abuse prevention.

We monitor the evolving landscape of AI regulations (including state AI laws and federal guidance) and update our AI data practices accordingly.

While our Service uses AI to generate drafts based on your data, you retain final responsibility for the accuracy, appropriateness, and lawfulness of all communications sent through the Service, whether reviewed manually or sent via your automated settings.

We do not sell your information and we do not share it with advertisers. We share the minimum information necessary with the following subprocessors, each of which is contractually bound to handle it in line with this policy:

• Intuit Inc. — QuickBooks Online is the source of your accounting data; integration is authorized and revocable by you.
• Anthropic PBC — Claude AI model used to draft message content. US-based. Zero-retention for training.
• Google LLC — Gmail sending via OAuth 2.0 when you connect your Gmail account. US-based. Access limited to authentication scopes and gmail.send. Governed by Google's API Services User Data Policy, including the Limited Use requirements.
• Microsoft Corporation — Outlook email sending, reply reading, and inbox organization via Microsoft Graph API when you connect your Microsoft account. US-based. Access limited to authentication scopes, Mail.Send, and Mail.ReadWrite.
• Supabase Inc. — managed Postgres database and authentication. US-based. Encryption at rest and in transit.
• Vercel Inc. — application hosting and edge network. US-based.
• Stripe Inc. — payment processing (when billing is enabled).
• Twilio Inc. — SMS delivery (Phase 2, when activated).
• Lob Inc. — physical mail delivery (Phase 2, when activated).

Subprocessor Updates

We may update this list from time to time as our Service evolves. Material changes will be reflected in an updated version of this Privacy Policy. Customers with specific subprocessor review requirements may contact us at support@recoup.cash.

We may also disclose information (a) if required by law, subpoena, or court order; (b) to protect our rights, security, or property; or (c) in connection with a corporate transaction (merger, acquisition, asset sale), in which case we will require the recipient to honor this policy.

We retain your information for as long as your Subscription is active and for a limited period afterward to meet legal, regulatory, and internal audit requirements. Specifically:

• Customer Data (including QBO Data) is deleted or anonymized within 90 days after termination of your Subscription, except where retention is required by law or an active legal hold.
• Email OAuth tokens are deleted immediately upon disconnection from Recoup (in /settings/email → Disconnect) or upon Subscription termination.
• Audit logs and security event records are retained for up to 12 months.
• Billing records are retained for 7 years as required for tax and accounting purposes.

When you close your Recoup account:

1. We immediately stop reading data from your QuickBooks Online connection and immediately delete any Gmail or Outlook OAuth tokens.
2. We retain your account data for 30 days to allow you to export or reactivate.
3. After 30 days (or immediately upon your request), we permanently delete Customer Data and QBO Data, except as retained under Section 6.
4. Billing records are retained for 7 years as described in Section 6.
5. Aggregated, anonymized analytics data may be retained for product improvement purposes.

You may request immediate deletion at any time by contacting support@recoup.cash.

We protect your information with technical and organizational measures designed to protect against unauthorized access, disclosure, alteration, or destruction. These include:

• Encryption of data in transit and at rest using industry-standard protocols.
• Encrypted storage of OAuth access and refresh tokens, with Row-Level Security isolation per tenant.
• Role-based access control and least-privilege policies.
• Regular dependency and configuration audits.
• Logging and monitoring of administrative actions.
• Incident response procedures for security events.

We review and update our security practices as our Service scales and as industry standards evolve.

No system can be guaranteed 100% secure. If we become aware of a security breach affecting your personal information, we will notify affected users in accordance with applicable legal requirements and in a manner designed to allow you to take appropriate protective measures.

If you are a California resident, the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) provide additional rights regarding your personal information.

Do Not Sell or Share My Personal Information: Recoup does not sell personal information, and we do not share personal information for cross-context behavioral advertising. No opt-out is required because these practices do not occur.

In the preceding 12 months, we have collected the following categories of personal information:

• Identifiers: name, email, business phone, IP address.
• Commercial information: billing history, subscription data.
• Internet activity: usage data, server logs.
• Professional information: business name, industry, role.
• Inferences drawn from the above: tone preferences, communication settings.

Sources: directly from you, from QuickBooks Online (via your authorization), from Google or Microsoft (via your OAuth authorization when you connect an email account), and automatically when you use the Service.

Business purposes: providing the Service, billing, support, security, legal compliance, and service improvement.

Third parties: the subprocessors listed in Section 5.

To exercise your CCPA/CPRA rights, contact us at support@recoup.cash.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Correct inaccurate information.
• Delete your information (subject to limited exceptions).
• Port your data to another service in a structured, machine-readable format. For data export requests, we will provide your data in CSV, JSON, or another commonly-used machine-readable format within 30 days of verified request.
• Restrict or object to certain processing.
• Opt out of the sale or sharing of personal information for cross-context behavioral advertising (not applicable to Recoup — we do not sell or share your personal information for these purposes).
• Withdraw consent at any time where processing relies on consent, without affecting the lawfulness of prior processing.

To exercise any of these rights, email support@recoup.cash. We will verify your identity and respond within 30 days, or within the time period required by applicable law, whichever is shorter.

The Service uses essential cookies only — for authentication sessions and basic CSRF protection. We do not use advertising cookies, third-party behavioral tracking, or browser fingerprinting.

We do not currently respond to “Do Not Track” browser signals because there is no industry standard for how such signals should be interpreted. As we do not use advertising cookies or cross-context behavioral tracking, DNT signals have no practical effect on our data practices.

The Service is a business-to-business product intended for use by business owners and their authorized employees. The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13, consistent with the Children's Online Privacy Protection Act (COPPA). If you believe a child under 13 has provided us with information, please contact us and we will delete it.

Recoup is a US-based company and stores data on US-based infrastructure in the United States. The Service is currently intended for use by businesses located in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, which may not provide the same data protection standards as your home country. By using the Service, you consent to this transfer.

For international users whose applicable law requires additional protections for cross-border transfers, we will work with you in good faith to establish appropriate safeguards.

Recoup is an Intuit-approved integration partner. We honor Intuit's data-handling requirements:

• We use QuickBooks Online data solely to provide the Service you subscribed to.
• We do not use QuickBooks Online data for advertising, resale, or training AI or machine-learning models.
• You may revoke Recoup's access at any time in Recoup → Settings → QuickBooks or directly in your Intuit account settings. Upon revocation we stop all further reads and delete associated QBO Data in accordance with Section 6 above.
• If Intuit revokes our integration certification, we will notify affected customers and provide a 30-day data export window.

Recoup's use and transfer of information received from Google APIs adheres to Google's API Services User Data Policy, including the Limited Use requirements. Recoup's use of information received from Microsoft Graph APIs adheres to Microsoft's data use policies.

Sign in with Google or Microsoft (authentication)

When you authenticate with Google or Microsoft, we request the openid, email, and profile scopes solely to verify your identity and create your Recoup account. We receive your email address and basic profile information (name, profile picture). A Recoup session cookie is issued after sign-in.

Gmail sending (optional, per-tenant)

When you connect your Gmail account at /settings/email, we additionally request the gmail.send scope and receive an OAuth access token and refresh token from Google. We use these tokens solely to send collection emails on your behalf from your connected Gmail address.

Gmail reply handling. When you connect your Gmail account, Recoup additionally requests the gmail.readonly scope. Recoup uses this scope solely to identify and read replies to Recoup-sent emails on your behalf, so that the dunning sequence pauses correctly when a customer responds. This protects you from contacting a customer who has already paid, promised payment, or disputed the invoice — which is a regulated obligation under the Fair Debt Collection Practices Act and analogous laws.

Reads are restricted to Gmail threads matching Message-IDheaders Recoup itself sent. Recoup does not read, modify, label, organize, or delete messages outside of those reply threads, and does not use Gmail data for advertising, training generalized AI models, or any purpose other than the reply-detection feature described above.

Reply bodies that Recoup reads are stored in our database with encryption in transit (TLS 1.2+) and at rest (provider-managed disk encryption), for the classification record and audit trail. Reply content is retained for 90 days after which it is automatically scrubbed; the classification result (paid / promised / disputed / unsubscribed) is retained as part of the invoice history. You can disconnect Gmail at any time from Settings → Integrations, which revokes Recoup's OAuth grant with Google and purges all stored reply content for your account.

Outlook integration (optional, per-tenant)

When you connect your Microsoft account, we request the Mail.Send and Mail.ReadWrite scopes under Microsoft Graph API and receive an OAuth access token and refresh token. We use these tokens to:

• Send collection emails on your behalf from your connected Outlook address.
• Read replies to Recoup-sent messages in your Outlook inbox, for the purpose of detecting customer responses and updating invoice status.
• Move handled reply threads to a dedicated “Recoup” folder (or similar) within your mailbox, and mark processed messages as read, to minimize inbox clutter.

Outlook data handling. Our use of Microsoft Graph access is strictly limited to the purposes described above. Specifically, Recoup:

• Does not read, access, or process emails unrelated to Recoup-sent communications and their reply threads.
• Does not delete any messages.
• Does not use email content for advertising, marketing, resale, or any purpose unrelated to the Service.
• Does not use email content to train artificial intelligence or machine learning models.
• Does not share email content with any third party except as necessary to operate the Service (for example, sending a specific reply to the Anthropic API to generate a contextually appropriate response draft), as described in Section 4.

Human access to email content

No Recoup employee reads user emails, except as required for security investigations (for example, investigating abuse or a specific user-reported support issue), legal compliance, or with your explicit consent.

Token storage and security

OAuth tokens for both Google and Microsoft are stored in our Supabase database with Row-Level Security isolation per tenant, encrypted at rest.

Revoking access

You may revoke Recoup's email access at any time:

• From within Recoup at /settings/email → Disconnect.
• By deleting your Recoup account.
• Directly in your Google account's security settings (myaccount.google.com/permissions) or your Microsoft account's app permissions (myaccount.microsoft.com/privacy).

Disconnection immediately deletes stored OAuth tokens from our database. Metadata about previously sent and received emails may be retained per our standard data retention policy (Section 6).

This Privacy Policy is governed by the laws of the State of Florida, without regard to its conflict of laws principles. Any disputes arising from this Privacy Policy shall be resolved as set forth in our Terms of Service.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you at least 30 days before the changes take effect by email to your account address and via an in-app notice. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

Questions, requests, or complaints about this Privacy Policy? Contact us at support@recoup.cash.

Recoup Systems Inc.
Sarasota, Florida, USA