Legal

Privacy Policy

Effective June 2026 · Last updated 2026-06-01

1. Who we are

Recoup is operated by Bendik Moe Krogh (EyeCu), based in Oslo, Norway. Contact: hello@recoup.cloud.

2. What we collect

Account data

When you sign in (email, Google, Apple, Spotify, or Discord) we store your email address, OAuth provider ID, and the display name your provider shares.

Contract files

Contracts you upload are parsed by an LLM. The original PDF or image is retained for authenticated users so you can re-read it later. Anonymous contract drops are processed in-memory and never written to disk.

Song data

Songs you add via Spotify import are stored with ISRC, title, artist, and cover art URL. Streaming data is fetched from Songstats (RapidAPI) and cached as earnings snapshots.

Billing

Stripe handles all payments. We store your Stripe customer ID and subscription status. We never see or store your card number.

Usage & diagnostics

We log anonymous page views (PostHog) and runtime errors (Sentry) to keep the service running. No personally-identifiable data is sent to these tools.

3. How we use your data

  • To show you your contracts, songs, and earnings projections.
  • To fetch streaming data for songs you've added.
  • To manage your subscription and process payments (via Stripe).
  • To send service emails (password reset, billing notices) via Resend.
  • To debug errors and improve the product (Sentry, PostHog).
We do not sell your data. We do not use your contracts or songs to train AI models. Your uploads are yours.

4. Data retention

  • Active accounts: all data is retained while your account is active.
  • Deleted accounts: all personal data is permanently deleted within 30 days. Anonymised aggregate metrics may be retained.
  • Anonymous drops: contracts uploaded without signing in are processed in-memory only. No copy is stored on disk.
  • Error logs: Sentry retains crash reports for 90 days.

5. Cookies

Recoup uses only essential cookies:

  • Supabase auth session — keeps you signed in. Strictly necessary.
  • Stripe checkout session — processes your payment. Session-only.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. PostHog is configured cookie-less (memory-only session ID).

6. Data handling & storage

Where data lives

  • User data: Supabase Postgres (eu-central-1, Frankfurt).
  • Files & uploads: Supabase Storage (encrypted at rest).
  • Application hosting: Vercel (iad1, Washington DC).
  • Streaming data: fetched on-the-fly from Songstats (RapidAPI).
  • LLM parsing: contract text is sent to Anthropic (Claude) or DeepSeek for extraction. No files are sent — only the extracted text layer.

Encryption

All data in transit is encrypted via TLS 1.3. Data at rest in Supabase is AES-256 encrypted. Supabase Storage buckets are private and access-controlled.

7. Your rights (GDPR)

As a Norway-based service, Recoup complies with GDPR. You have the right to:
  • Access all personal data we hold about you.
  • Correct inaccurate data.
  • Delete your account and all associated data.
  • Export your data in a machine-readable format.
  • Withdraw consent at any time.

To exercise any of these rights, email hello@recoup.cloud. We respond within 30 days. You can also delete your account yourself from Settings → Data.

8. Third-party services (subprocessors)

We rely on the following services to operate Recoup. See the full subprocessor list for details on each provider, their location, and the data they process.

9. Contact

Bendik Moe Krogh (EyeCu)
Oslo, Norway
hello@recoup.cloud