Skip to main content
← Back to Home

Privacy Policy

Last Updated: February 2026

Introduction

CertNode ("we", "us", or "our") operates the Reflex automated dispute response service, Evidence Vault pre-dispute evidence capture, and Recover failed payment recovery. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

Information We Collect

1. Transaction Data

When you use Reflex, we collect and process:

  • Payment and order IDs from connected platforms (Stripe, Shopify, etc.)
  • Transaction amounts and currencies
  • Customer email addresses and names
  • Billing and shipping addresses
  • Product descriptions and metadata
  • Payment timestamps and status

2. Fulfillment Evidence

To defend against disputes, we collect:

  • Delivery confirmations and tracking information
  • Customer access logs and login timestamps
  • Content download records
  • Service usage and engagement data
  • Support interaction history
  • Policy acknowledgment records

3. User Account Information

  • User ID and authentication credentials
  • Subscription status and billing information
  • Email preferences and notification settings
  • Manual override preferences for dispute handling

4. Dispute Information

  • Dispute IDs and status from connected platforms
  • Dispute reasons and amounts
  • Evidence submitted to payment processors
  • AI-generated narratives and summaries
  • Win probability estimates
  • Dispute outcomes and resolutions

5. Recovery Data (CertNode Recover)

When you use CertNode Recover for failed payment recovery, we collect and process:

  • Failed invoice IDs, amounts, and decline codes from Stripe
  • Customer email addresses for dunning communications
  • Customer phone numbers (only if you enable SMS recovery and provide Twilio credentials)
  • Recovery attempt history (retry dates, outcomes, difficulty scores)
  • Dunning email and SMS delivery status (sent, opened, clicked)
  • Card update page interactions
  • Payment plan acceptance records
  • Twilio API credentials (encrypted at rest, used only for sending SMS on your behalf)

6. Evidence Vault Data (CertNode Vault)

When you use CertNode Evidence Vault, we collect and process:

  • 3D Secure authentication results and version
  • AVS (Address Verification System) check results
  • CVC (Card Verification Code) check results
  • Device fingerprint hash (SHA-256 — raw browser signals are not stored)
  • IP address at time of payment
  • Card brand, last four digits, and issuing country
  • Stripe risk level assessment
  • RFC 3161 certified timestamps proving when evidence was collected

What we do NOT store: Full card numbers, customer names, email addresses, billing addresses, or any data beyond what is needed for chargeback defense. Device fingerprints are stored as one-way SHA-256 hashes for matching purposes only.

How We Use Your Information

Automated Dispute Response

  • Gathering evidence from transaction and fulfillment records
  • Generating AI-powered dispute narratives
  • Submitting comprehensive evidence to payment platforms
  • Calculating win probability estimates

Communication

  • Sending email notifications about dispute responses
  • Alerting you to dispute status changes (won/lost/under review)
  • Providing confidence scores and evidence summaries

Payment Recovery (CertNode Recover)

  • Scheduling smart retries for failed subscription payments
  • Sending branded dunning emails to customers with failed payments
  • Sending SMS recovery messages via your Twilio account (if enabled)
  • Hosting card update pages for customers to enter new payment details
  • Creating payment plans for past-due amounts
  • Generating RFC 3161 certified proof receipts for recovered payments
  • Sending monthly ROI summary emails to merchants

Pre-Dispute Evidence Collection (CertNode Vault)

  • Capturing authentication and verification data at the time of each successful payment
  • Generating RFC 3161 certified timestamps to prove when evidence was collected
  • Storing evidence for up to 13 months to cover the full chargeback dispute window
  • Linking vault evidence to dispute responses when chargebacks are filed
  • Generating billing invoices for evidence capture usage

Service Improvement

  • Analyzing dispute outcomes to improve AI narratives
  • Identifying patterns in successful defenses
  • Optimizing evidence gathering strategies

Legal Compliance

  • Complying with payment processor requirements
  • Responding to legal requests and subpoenas
  • Protecting against fraud and abuse

Data Storage and Security

Storage Location

  • All data is stored in Supabase (PostgreSQL) databases
  • Encryption at rest and in transit using industry-standard protocols
  • Regular backups and disaster recovery procedures

Data Retention

  • Transaction receipts: Retained for 7 years (legal requirement)
  • Dispute records: Retained for 5 years after resolution
  • User account data: Retained while account is active
  • Email notification logs: Retained for 1 year
  • Evidence Vault data: Retained for 13 months from capture (covers full chargeback window for all major card networks). RFC 3161 timestamp tokens retained indefinitely as they contain no PII.

Security Measures

  • Role-based access controls (RLS policies)
  • API authentication via service role keys
  • Encrypted communication with third-party services
  • Regular security audits and penetration testing

Data Sharing and Disclosure

Third-Party Services

We share data with:

Payment Platforms (Stripe, Shopify, etc.): Payment processing and dispute management

  • Charge, order, and customer information
  • Evidence submissions and narratives
  • Dispute status updates

Resend: Email notification delivery

  • Recipient email addresses
  • Notification content and templates

AI Services: Evidence narrative generation

  • Anonymized transaction data
  • Product descriptions and fulfillment evidence

Legal Requirements

We may disclose information when required to:

  • Comply with court orders or legal processes
  • Protect our rights and property
  • Prevent fraud or security threats
  • Cooperate with law enforcement

User Rights and Controls

Access and Portability

  • View all your transaction and dispute data in the Founder Dashboard
  • Export your data in machine-readable formats
  • Request copies of all information we hold about you

Correction and Deletion

  • Update your account information and preferences
  • Request correction of inaccurate data
  • Request deletion of your account and associated data (subject to legal retention requirements)

Manual Override Controls

  • Disable Reflex autopilot globally via user settings
  • Exclude specific disputes from automated response
  • Opt out of email notifications

GDPR Compliance (EU Users)

Legal Basis for Processing

  • Contractual necessity: Processing required to provide Reflex service
  • Legitimate interests: Fraud prevention and service improvement
  • Consent: Email notifications (can be withdrawn)

Your GDPR Rights

  • Right to access your data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent

CCPA Compliance (California Users)

Your California Rights

  • Right to know what data we collect
  • Right to delete personal information
  • Right to opt out of data sales (we do not sell data)
  • Right to non-discrimination

Do Not Sell: We do not sell your personal information to third parties.

Contact Us

For privacy-related questions or requests:

Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated "Last Updated" date. Continued use of Reflex after changes constitutes acceptance.

Effective Date: February 1, 2026
By using Reflex, you acknowledge that you have read and understood this Privacy Policy.