RefundSheriffRefundSheriff
See the demo

Legal

Data Processing Addendum

Last updated June 25, 2026

This Addendum forms part of the Terms of Service between you (the “Customer”) and RefundSheriff. It governs our processing of personal data about your customers on your behalf, under Article 28 GDPR.

Roles

You are the controller of your customers’ personal data. RefundSheriff is the processor, acting only on your documented instructions (which include these terms and your use of the product).

Scope of processing

  • Subject matter & purpose: scoring refunds/chargebacks for abuse, detecting repeat offenders, and assembling/filing dispute evidence.
  • Duration: for as long as your Stripe account is connected and your account is open.
  • Types of data: customer name and email, card fingerprints (pseudonymous), country, charge/refund/dispute details, and any product-usage events you send. No full card numbers.
  • Data subjects: your customers who transact through your connected Stripe account.

Our obligations

  • Process the data only on your instructions and for the purposes above.
  • Keep the data confidential and ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Article 32) — encryption in transit and at rest, hashed credentials, access controls, and row-level security.
  • Assist you, as far as reasonable, with data-subject requests, security, breach notification, and DPIAs.
  • Notify you without undue delay after becoming aware of a personal-data breach.
  • Delete or return the data on termination, and delete data for a Stripe account when you disconnect it.
  • Make available information needed to demonstrate compliance and allow audits on reasonable notice.

Sub-processors

You authorize us to use the following sub-processors, who are bound by equivalent obligations:

  • Stripe — payment data, read via the restricted API key you provide.
  • Supabase — database hosting.
  • Resend — transactional email.
  • Vercel — application hosting.

We’ll give reasonable notice of any new sub-processor and you may object on legitimate grounds.

International transfers

Where a sub-processor is outside the EU/EEA, transfers are covered by appropriate safeguards such as the EU Standard Contractual Clauses.

Contact

Data-protection questions: hello@refundsheriff.com.