Legal

Privacy Policy

This policy explains in plain English what data Rappel collects, why we collect it, where it is stored, and the rights you have under GDPR, CCPA, India's DPDP Act 2023, and the Australian Privacy Act.

Last updated: June 12, 2026

Rappel (rappelhq.com)(“Rappel”, “we”, “us”, or “our”) is a B2B SaaS platform that connects e-commerce stores, payment processors, and accounting software to sync, reconcile, and manage financial data. This Privacy Policy applies to rappelhq.com and all of its subdomains (including app.rappelhq.com and any other subdomain), the Rappel application, our APIs, and related services.

1. Who We Are & How to Contact Us

Rappel is an independently operated business based in India. The operator of Rappel is responsible for the service and for the data practices described in this policy.

For the personal data of our users (account holders), we act as the data controller. For the business data you sync through Rappel (your orders, customers, and transactions), we act as a data processor on your instructions — you remain the controller of that data.

Privacy questions and requests: privacy@rappelhq.com. General support: support@rappelhq.com.

2. What Data We Collect & Why

For each category below we state the purpose and, for users in the EU/UK, the lawful basis under Article 6 GDPR.

  • Signup data — your full name, email address, country, and store name. Used to create and administer your account. Lawful basis: contract (Art. 6(1)(b)).
  • Optional business profile — business entity name, GST/VAT number, and other tax identifiers, if you choose to provide them. Used for invoicing and tax-correct accounting output. Lawful basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)).
  • Integration credentials — OAuth tokens, API keys, and access tokens for the third-party platforms you connect. Stored encrypted with AES-256 and used solely to fetch and sync your data. Lawful basis: contract (Art. 6(1)(b)).
  • Commerce data from integrations — orders, customer records, payments, products, transactions, inventory, payouts, and refunds fetched from your connected stores and payment processors. We do not store your end customers' direct personally identifiable information beyond what reconciliation requires, and we never store payment card details. Processed on your behalf and on your instructions. Lawful basis: contract (Art. 6(1)(b)).
  • Accounting data from integrations — journal entries, customers, products, inventory, exchange rates, purchase orders, sales, tax, accounts, bills, invoices, and journal reporting from QuickBooks Online, Xero, Sage, and Zoho Books. Read and written back (e.g. posting journal entries) strictly based on the permissions you grant and the features you enable. Lawful basis: contract (Art. 6(1)(b)).
  • Advertising data — daily ad-spend figures fetched from connected ad platforms (Meta Ads, Google Ads, TikTok Ads, and others), used for marketing cost reconciliation and profitability reporting. Lawful basis: contract (Art. 6(1)(b)).
  • Analytics data — page views, session data, and feature usage, collected via PostHog (EU-hosted). On the marketing website this runs only after you accept the cookie banner; in the application it is part of the processing you agree to at signup. Lawful basis: consent (Art. 6(1)(a)).
  • Technical data — IP address, browser type, device information, and cookies. Used for security, fraud prevention, rate limiting, and debugging. Lawful basis: legitimate interests (Art. 6(1)(f)).
  • Billing data — subscriptions, refunds, and cancellations are managed through our payment partners (Paddle, Razorpay, Dodo Payments, or Stripe, whichever is applicable). Payment details are collected and stored by the payment partner, not by us — we never see or store full card numbers. Billing is currently in USD. Lawful basis: contract (Art. 6(1)(b)).
  • Communications — messages you send to support, so we can help you and improve the service. Lawful basis: legitimate interests (Art. 6(1)(f)).

3. Third-Party Integrations

Rappel connects to third-party platforms only after you explicitly authorize each connection (typically via OAuth or an API key you provide):

  • Sales channels, marketplaces & POS — Shopify (including Shopify POS), Amazon, Walmart, WooCommerce, BigCommerce, Square (including Square POS), Squarespace: orders, products, customer records, inventory, transactions, payouts, and refunds.
  • Payment processors & BNPL — Stripe (including Stripe Connect and Stripe Terminal/POS), PayPal, Klarna, Adyen, Afterpay/Clearpay: payments, transactions, fees, payouts, refunds, and disputes. We never store payment card details.
  • Accounting & ERP — QuickBooks Online, Xero, Zoho Books, Sage Business Cloud: journal entries, customers, products, inventory, exchange rates, purchase orders, sales, tax, accounts, bills, invoices, and journal reporting. We fetch data and push entries back (such as journal entries and invoices) strictly based on the permissions you grant and the features you enable.
  • Advertising — Meta Ads, Google Ads, TikTok Ads, and other ad platforms: daily ad spend and campaign performance data, used for marketing cost reconciliation and profitability reporting.

The current list of supported platforms is always available on our Integrations page. We access only the data needed to provide the service, and we act on your instructions. You can disconnect an integration at any time, which revokes our access. Your use of those platforms remains governed by their own terms and privacy policies, and we are not responsible for their data practices.

4. How We Store & Protect Data

  • Data residency — data is stored in the EU/US regions by default (file storage in the EU/US; analytics in the EU). Enterprise customers may choose a preferred database region, including US, UK, EU, AU, and IN. When data moves between regions — for example between our EU and US infrastructure, or to any other region you select — it is always transferred over encrypted channels and protected by the cross-border safeguards described in Section 9.
  • Credential encryption — integration credentials (OAuth tokens, API keys, access tokens) are encrypted at rest using AES-256 and are never stored or logged in plaintext.
  • Business data — orders, transactions, customers, and journal entries are stored in access-controlled PostgreSQL databases protected by infrastructure-level security. This data is not additionally encrypted at the application level.
  • In transit — all connections use TLS 1.2/1.3 (HTTPS everywhere).
  • Access — production access is restricted to the operator and protected by authentication; bot protection (Cloudflare Turnstile) and rate limiting guard all public endpoints.

See our Security page for full details of our security practices.

5. Will Your Information Be Shared With Anyone?

In short: we only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfil business obligations. We never sell, rent, or trade your information.

We may process or share data we hold based on the following legal bases:

  • Consent — where you have given us specific consent to use your personal information for a specific purpose.
  • Legitimate interests — where it is reasonably necessary to achieve our legitimate business interests.
  • Performance of a contract — where we have a contract with you, to fulfil the terms of that contract.
  • Legal obligations — where we are legally required to disclose information to comply with applicable law, governmental requests, judicial proceedings, court orders, or legal process.
  • Vital interests — where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, threats to the safety of any person, or illegal activities.

More specifically, we may need to share your information in the following situations:

  • Vendors & service providers (sub-processors) — third-party providers who perform services on our behalf and need access to do that work: hosting, payment processing, analytics, email delivery, and error monitoring. They are listed in the table below. Our data processing contracts mean they cannot do anything with your information except on our instructions, may not share it with anyone else, and must protect it and retain it only as long as we instruct.
  • Business transfers — if Rappel is involved in a merger, sale of assets, financing, or acquisition, your information may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy and give you the opportunity to delete your account beforehand.
  • Legal compliance — where disclosure is required by law, court order, or governmental authority, or necessary to protect the rights, property, or safety of Rappel, our users, or others.

We do not share your information with affiliates or business partners for promotional purposes, and the Service has no public areas where your information could be visible to other users.

The sub-processors we currently use, what they do, and where they are located:

Sub-processorPurposeLocation
SupabasePostgreSQL database (application data) — enterprise customers may choose their database region (US, UK, EU, AU, IN, and more)EU / US (default)
NeonPostgreSQL database — enterprise customers may choose their database region (US, UK, EU, AU, IN, and more)EU / US (default)
Cloudflare R2File storageEU / US (default)
VercelWebsite and application hosting (rappelhq.com and app.rappelhq.com), CDNGlobal (EU / US)
Cloudflare TurnstileBot protection on forms, DNSGlobal
Fly.io / Railway / RenderBackend hosting (API server and background workers) — the provider in use may vary over timeEU
UpstashRedis (cache and streams)EU
PostHogProduct analytics (consent-based)EU (Frankfurt)
Resend / PostmarkTransactional email deliveryEU / US (default)
PaddlePayment processing (Merchant of Record, where applicable)Global
RazorpayPayment processing (where applicable)India
Dodo PaymentsPayment processing (Merchant of Record, where applicable)Global
StripePayment processing (where applicable)Global
SentryError monitoringEU / US (default)

We will update this list when sub-processors change. We do not sell your personal data to anyone, and no sub-processor may use your data for its own purposes.

6. Data Retention

  • Account data — retained while your account is active, and deleted on your request. If you are not on a paid subscription and your account remains inactive for more than 3 continuous months, we reserve the right to delete the account and its data automatically, without any prior notice or intimation.
  • Business data from integrations — deleted on your request. For accounts without a paid subscription that remain inactive for more than 3 continuous months, we reserve the right to delete this data automatically, without any prior notice or intimation. For subscribed accounts, data is retained per your plan's retention policy (3 months, 6 months, 12 months, 2 years, 3 years, or more, depending on plan) and is deleted on your request.
  • Disconnecting an integration — we immediately stop fetching and processing new data from that platform, but data already synced is retained and may continue to be processed under the rules above until you request deletion or the applicable retention period ends.
  • Integration credentials — deleted promptly when you disconnect an integration or delete your account.
  • Analytics data — retained for up to 24 months on PostHog's EU servers.
  • Billing records — retained by our payment partners and by us as required by tax law (typically up to 7 years).
  • Support communications — retained for up to 3 years.
  • Backups — any other data held in backups is retained for up to 6 months, or longer where required by applicable local laws.

You can request earlier deletion of your account and data at any time by emailing privacy@rappelhq.com. We action deletion requests within 30 days, subject to legal retention obligations.

7. Your Rights

Wherever you are located, you can exercise the following rights by emailing privacy@rappelhq.com:

  • Access — request a copy of the personal data we hold about you.
  • Correction — ask us to fix inaccurate or incomplete data (most account data can be edited directly in Settings).
  • Portability — receive your data in a structured, machine-readable format (CSV / JSON).
  • Erasure — request deletion of your account and personal data by email.
  • Restriction — ask us to limit processing in certain circumstances.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing relies on consent (e.g. analytics), withdraw it at any time without affecting prior processing.

We respond to all requests within 30 days and will verify your identity (normally via your account email) before acting on a request. We never discriminate against you for exercising your rights.

8. Cookies

We use strictly necessary cookies (authentication, CSRF protection, bot protection), consent-based analytics cookies (PostHog, EU-hosted, first-party only), and preference cookies (theme). We use no advertising cookies, no Google Analytics, and no Facebook Pixel.

Full details — including a complete cookie table and how to manage or withdraw consent — are in our Cookie Policy.

9. Cross-Border Data Transfers

Your data is stored in the EU/US regions by default, regardless of where you are located — which may mean it is transferred to and stored in a country different from your own. Enterprise customers may choose a preferred database region (US, UK, EU, AU, IN, and more).

  • The operator accesses systems from India for administration and support. This access is protected by the safeguards described in Section 4, and is governed by contractual commitments equivalent to EU Standard Contractual Clauses (SCCs).
  • Where data moves between our own regions — for example between EU and US infrastructure, or to any other region you select — transfers always occur over TLS-encrypted channels and are protected by appropriate safeguards, including EU Standard Contractual Clauses and the EU-US Data Privacy Framework where applicable.
  • Some sub-processors (transactional email, error monitoring, payment processing) operate from the United States or globally; transfers to them rely on SCCs and equivalent safeguards such as the EU-US Data Privacy Framework where applicable.
  • When you connect a third-party integration, data flows between Rappel and that platform per your instructions; the destination platform's own location and policies then apply.
  • Enterprise customers who select a specific database region (US, UK, EU, AU, IN, etc.) are explicitly choosing that data residency for their workspace data.

10. GDPR Compliance (EU & UK)

If you are in the European Economic Area or the United Kingdom, the GDPR / UK GDPR applies. The lawful bases for each processing activity are listed in Section 2, and your rights in Section 7 correspond to Articles 15–21 GDPR.

  • We act as data controller for your account data and as data processor for the business data you sync.
  • A Data Processing Agreement (DPA) covering our processor role is available on request.
  • We will notify affected users within 72 hours of becoming aware of a personal data breach that risks your rights and freedoms.
  • You have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK or your national Data Protection Authority in the EU).

11. CCPA (California)

If you are a California resident, the California Consumer Privacy Act (CCPA/CPRA) gives you specific rights:

  • We do not sell your personal information and we do not share it for cross-context behavioural advertising. We have not done so in the preceding 12 months.
  • Right to know — the categories listed in Section 2 are the categories of personal information we collect; Section 5 lists who we disclose them to (service providers only).
  • Right to delete — request deletion via email; we will honour it subject to legal exceptions.
  • Right to correct — request correction of inaccurate personal information.
  • Right to non-discrimination — we will never penalise you for exercising your CCPA rights.

To exercise these rights, email privacy@rappelhq.com with “CCPA Request” in the subject line.

12. DPDP Act 2023 Compliance (India)

As the operator is based in India, we comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) in our role as a data fiduciary for users' personal data:

  • We process personal data only for lawful purposes, with your consent or for legitimate uses recognised by the Act (such as performing the service you signed up for).
  • We collect only the data needed for the stated purposes (data minimisation) and take reasonable security safeguards as described in Section 4.
  • You may access, correct, and request erasure of your personal data, and you have the right to grievance redressal.
  • You may nominate another individual to exercise your rights in the event of death or incapacity.
  • We will notify the Data Protection Board of India and affected users of personal data breaches as required by the Act.

Grievances are handled by the Grievance Officer listed in Section 16. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.

13. Australian Privacy Act

For users in Australia, we handle personal information consistently with the Australian Privacy Principles (APPs):

  • We collect personal information only as needed to provide the service, and this policy serves as our APP 1 privacy notice.
  • Your data is stored overseas (in the EU, as described in Section 9); we take reasonable steps to ensure overseas recipients handle it consistently with the APPs.
  • You may access and correct your personal information, and complain about a breach of the APPs, by contacting us.
  • If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC).

14. Children's Data

Rappel is a business product and is not directed at individuals under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, contact us at privacy@rappelhq.com and we will delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will post the updated policy on this page and revise the “Last updated” date shown at the top. For material changes, we will additionally display a notice on our website or in the app before the changes take effect. Continued use of Rappel after the effective date constitutes acceptance of the updated policy, so please check this page periodically.

16. Contact & Grievance Officer

For any privacy question, data request, or grievance (including under the Indian DPDP Act 2023):

Rappel (rappelhq.com)

Independently operated from India

Grievance Officer / privacy contact: privacy@rappelhq.com

General support: support@rappelhq.com

We acknowledge grievances within 72 hours and aim to resolve them within 30 days.