Legal

The Service helps Merchants defend against payment-card disputes (Representment) and prevent certain chargebacks before they are filed (Prevention). To do this, ChargePilot connects to a Merchant’s payment processor and other business systems, analyzes dispute and transaction data, and — on the Merchant’s instructions — assembles and submits dispute evidence and, where enabled, issues refunds and sends verification emails.

For Representment and other Merchant-directed activity, the Merchant is the controller / business and ChargePilot is the processor / service provider. For activities where ChargePilot determines the purposes and means of processing across Merchants — in particular the forthcoming ingestion of Alert Data spanning many Merchants and Cardholders, and any model improvement performed on pooled data — ChargePilot may be an independent or joint controller. This Policy applies to ChargePilot’s processing where it acts as a controller; where it acts as a processor, the Merchant’s own privacy notice governs and requests are routed as described in Section 12.

• Privacy contact: privacy@chargepilot.ai
• General / support contact: support@chargepilot.ai

Cardholders are not users of ChargePilot and have no direct relationship with it; Section 10 explains how requests by or about Cardholders are handled.

3.1 Stripe dispute and transaction data

Dispute records, reasons and statuses, transaction metadata (amounts, dates, currency, descriptors), payment outcomes, and the last four digits of the payment card — received from your Connected Stripe Account via OAuth. We do not collect or store full card numbers. We use this data to analyze disputes, assemble and submit evidence before the deadline, operate Prevention, and calculate Fees.

3.2 Integration evidence data

Order and fulfillment information, line items, amounts and dates, shipping and tracking details, delivery confirmation, customer order history, and support records — to the extent needed to build dispute evidence. These come from the Integrations you connect. Integrations currently available include Stripe (native), Shopify, WooCommerce, BigCommerce, Recharge, Skio, Gorgias, Help Scout, Gmail (read-only), and ShipStation; PayPal is planned. We use this data solely to substantiate that an order was placed, paid, fulfilled, and delivered.

3.3 Gmail data (read-only)

Where you connect Gmail, we access email subjects, dates, and message content from threads between you and the customer associated with a dispute, using the read-only gmail.readonly scope. We never send, modify, or delete messages. Our use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements (see Section 8).

3.4 Alert Data (forthcoming)

If and when the forthcoming pre-dispute alert tier launches, it will process Alert Data — pre-dispute alert data from card networks (Ethoca for Mastercard and Verifi / RDR for Visa), received through a third-party reseller, including Cardholder identifiers, disputed-transaction details, and the pre-dispute reason. Because Alert Data is not collected from the Cardholder, the indirect-collection notice in Section 10 applies. This tier is not currently offered.

3.5 Cardholder email for EFW Emails

Where you enable EFW Emails, we process a Cardholder email address and the minimum transaction context needed to send a verification email in which you are the legal sender (“{Merchant} via ChargePilot”). We do not use Cardholder email addresses for our own marketing.

3.6 Account and usage data

Merchant account details (business name, account identifiers, authorized-user name and email), authentication data, configuration settings, billing and fee records, and product usage and diagnostic logs (such as actions taken, error states, IP address, and device/log metadata). We use this to create and secure accounts, provide and support the Service, calculate and invoice Fees, prevent fraud and abuse, and improve reliability and performance.

3.7 Website visitors and prospective Merchants

Separately from the Service, our website processes limited data of visitors. When you submit our lead form, we collect your email address, optional phone number, and request metadata to follow up about the product; the lead is delivered to our team by email (SendGrid) and SMS (Twilio), and where you provide a mobile number we may send you an install-link SMS. When you use our website support chat, your messages are processed by a third-party AI provider (Anthropic) to generate responses, and if you ask to reach a person, we collect the name, email, and conversation you provide and send it to our team by email and SMS. The website does not write this data to a ChargePilot database; it is relayed by email and SMS only.

ChargePilot uses the data described above to:

• provide, operate, maintain, and secure the Service;
• analyze disputes and signals and decide whether to fight or refund;
• gather and assemble dispute evidence from connected Integrations;
• submit Representment to your payment processor before applicable deadlines, on your instruction;
• operate Prevention, including Stripe EFW auto-refunds and EFW Emails;
• calculate, invoice, and collect Fees;
• authenticate users and prevent fraud, abuse, and unauthorized access;
• maintain security, audit, and diagnostic logs; comply with legal and card-network requirements; and improve the reliability, performance, and models of the Service.

ChargePilot does not use the data for third-party advertising or marketing, and does not sell personal data (see Section 9).

ChargePilot uses artificial intelligence to read dispute, transaction, and Integration evidence and to draft dispute-evidence packages, and to make automated decisions about whether to fight a dispute or signal or to refund the Cardholder (including issuing an automated refund through your Connected Stripe Account). These decisions weigh signals such as the dispute or alert reason, the strength of available evidence, transaction characteristics, and the economics of pursuing the dispute against the likelihood of a successful defense.

To protect the integrity of fraud prevention, ChargePilot does not publish the internal scoring, thresholds, or rules used to make these decisions. Where the law grants rights regarding solely automated decisions that produce legal or similarly significant effects, affected individuals may have the right to obtain meaningful information about the logic involved (at the level described here), to request human review, and to contest a decision; because Cardholders have no direct relationship with ChargePilot, such requests are generally routed through the relevant Merchant (see Section 12).

ChargePilot’s third-party AI providers process data on ChargePilot’s behalf as subprocessors under contracts that prohibit them from using ChargePilot’s, its Merchants’, or any Cardholder data to train, fine-tune, or improve their own or any cross-client models.

Where the EU or UK GDPR applies and ChargePilot acts as a controller, it relies on the following legal bases: performance of a contract (to provide the Service and administer accounts and Fees); legitimate interests (for fraud prevention, dispute defense, security, and AI-assisted analysis, balanced against the rights of affected individuals); legal obligation (where processing is required by law); and consent (only where required and obtained). Where processing is based on legitimate interests, affected individuals have the right to object as described in Section 12.

• ChargePilot never stores full card numbers (PAN); PCI-scope card data stays inside Stripe, and ChargePilot stores dispute results and the last four digits only.
• ChargePilot does not store Sensitive Authentication Data after authorization, including CVV/CVC, full track data, or PIN.
• ChargePilot connects to your Connected Stripe Account via OAuth 2.0 and never holds your Stripe secret key; you can revoke the scoped access token at any time.

ChargePilot’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

• Scope: read-only Gmail access (gmail.readonly), used solely to find customer email threads related to a disputed transaction.
• ChargePilot never sends, modifies, or deletes Gmail messages.
• Gmail data is used only to build dispute evidence and is shared only with your payment processor as part of your dispute submission. It is never sold, never used for advertising, and never used to develop, improve, or train generalized or non-personalized AI/ML models.
• No person, including ChargePilot personnel, accesses your Google user data except with your affirmative consent for a specific support request, as necessary for security, as required by law, or where the data has been aggregated and anonymized for internal operations.
• Gmail data is processed at the time of dispute handling and is not retained beyond what is needed for the dispute-evidence package; it is purged when the associated dispute is deleted or the Gmail integration is disconnected.
• You can disconnect the Gmail integration at any time from ChargePilot’s settings or from your Google Account permissions; revocation is immediate.

ChargePilot does not sell personal data, and does not share personal data for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA and similar laws. We do not engage in targeted advertising or profiling for advertising, and data collected through the Integrations is used only for dispute, fraud-prevention, and Service-operation purposes. We honor the Global Privacy Control (GPC) and similar browser opt-out signals as a request to opt out of any sale or sharing where applicable.

Cardholders are not users of ChargePilot and have no direct relationship with it. ChargePilot obtains Cardholder data indirectly — from the Merchant’s Connected Stripe Account and connected systems, and (for the forthcoming alert tier) from card networks via a reseller — not from the Cardholder. For Cardholders in the EU/UK, this Section, together with Sections 3, 6, 11, 12, and 13, is intended to provide the information required under GDPR Article 14 for personal data not obtained from the data subject. Because Cardholders have no account with ChargePilot and ChargePilot often holds only limited identifiers, ChargePilot makes this information publicly available (this Policy) and relies on the Merchant — who has the direct customer relationship — to provide front-line notice to its customers.

ChargePilot uses a limited set of vendors (“subprocessors”) to provide the Service and operate its website. Each is bound by contract to confidentiality, security, and use-limitation obligations, and processes data only to provide services to ChargePilot. We provide advance notice of new subprocessors that process Merchant data and maintain the current list below.

The Integrations you connect (such as your store, subscription, or support platforms) are your own data sources connected at your direction, not ChargePilot’s subprocessors. For cookies and similar technologies, see our Cookie Policy.

We may also disclose data to comply with law, legal process, or card-network rules; to protect the rights, safety, and security of ChargePilot, Merchants, Cardholders, or others; and in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

Depending on your location, you may have rights to access, correct, delete, port, object to, or restrict the processing of your personal data, to opt out of sale, sharing, or targeted advertising, and to be free from retaliation for exercising these rights. ChargePilot does not sell personal data or share it for cross-context behavioral advertising.

• Merchants and their users may exercise rights, or request an export or deletion of their account data, by contacting privacy@chargepilot.ai or support@chargepilot.ai. We verify requests before acting.
• Because Cardholders have no direct relationship with ChargePilot, a Cardholder should generally direct requests to the Merchant they transacted with. Where ChargePilot acts as a processor, it will forward a Cardholder request to the relevant Merchant and assist in responding; where ChargePilot acts as a controller, it will respond directly, subject to verification. Because ChargePilot may hold only limited identifiers, verification may require additional information, and ChargePilot may be unable to act on a request it cannot reasonably verify.
• Where required, you may appeal a denied request by replying to our response. EU/UK individuals may lodge a complaint with their supervisory authority; California residents may contact the California Privacy Protection Agency.
• Requests may be submitted by an authorized agent where the law permits, subject to proof of authorization and verification. We honor the Global Privacy Control (GPC) as an opt-out signal where applicable.

ChargePilot retains data while a Merchant’s account is active and as needed for billing, dispute and representment recordkeeping, security, and legal compliance, and deletes it promptly following account closure or app uninstall and on a verified deletion request, except where retention is required by law. ChargePilot does not currently enforce a fixed, automated in-life retention time-to-live and does not represent a retention period it does not enforce. Gmail data is not retained beyond the dispute-evidence package. Where ChargePilot must retain data to comply with law, resolve disputes, or enforce agreements, it retains the minimum necessary for that purpose, after which the data is deleted or de-identified.

ChargePilot stores the product’s data in the United States (Google Cloud / Firebase) and hosts its marketing website on Vercel. Where data is transferred from the EEA, UK, or Switzerland to the United States or another country that may not provide an equivalent level of protection, ChargePilot relies on appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), together with any required transfer-impact assessment.

ChargePilot applies administrative, technical, and physical safeguards designed to protect data, including: encryption in transit (TLS 1.2+); encryption at rest (AES-256, with AES-256-GCM for sensitive credentials); secrets managed in Google Cloud Secret Manager; OAuth 2.0 scoped tokens (ChargePilot never holds your Stripe secret key); per-Merchant data isolation in Firestore with server-side rules, in a United States region; and payment-data minimization (results and last-4 only; no PAN or Sensitive Authentication Data). ChargePilot’s application security has been verified at CASA Tier 2 through an independent DAST scan by TAC Security; CASA Tier 2 is an application-security assessment and is not a SOC 2 examination. No method of transmission or storage is completely secure, and ChargePilot cannot guarantee absolute security.

The Service is a business-to-business product intended for Merchants. It is not directed to children, and ChargePilot does not knowingly collect personal data from children. Cardholder data is processed only as transaction- and fraud-related data sourced from Merchants and networks, not collected from individuals directly.

ChargePilot may update this Policy from time to time. Material changes will be indicated by updating the “Last updated” date and, where appropriate, by additional notice. Continued use of the Service after an update constitutes acceptance of the updated Policy to the extent permitted by law.

Privacy: privacy@chargepilot.ai. General / support: support@chargepilot.ai.