How ReCapture handles your data, your visitors, and the laws that govern both.

When a visitor begins typing into a form on a customer’s website, ReCapture captures: name, email, phone number, free-text fields they have filled in, the time spent on the form, the device type, and the page URL.

We do not capture: passwords, payment card data, social security numbers, credit card CVVs, or any field marked sensitive by the customer or detected by our defensive filters.

Capture happens on every keystroke after the first character is entered, transmitted via heartbeat at 15-second intervals and on tab close, page navigation, and exit-intent. Visitors who never start typing are never captured.

EU, UK, and Swiss visitors are blocked at the tracker level via IP geolocation. We do not capture data from these regions. If our IP detection fails, the tracker fails closed (no capture).

Visitors on customer sites with active cookie consent platforms (OneTrust, Cookiebot, CookieYes) are only tracked when consent has been granted.

ReCapture provides software. Customers control the deployment, the consent flows, and the visitor relationship. As a customer, you are responsible for:

• Privacy policy disclosure. Your privacy policy must describe form abandonment recovery technology, the data captured, and how it is used. We provide a template at /legal/client-privacy-template.
• Form consent language. Your contact forms must include consent language authorizing follow-up communications via the channels you have enabled (email, SMS, AI voice).
• AI voice callback acknowledgment. If you enable AI voice callback, you explicitly acknowledge TCPA, FCC, and Texas SB 140 compliance responsibility through the in-app disclaimer.
• BAA execution for healthcare. If you are a HIPAA-covered entity, you must execute a Business Associate Agreement with ReCapture before deploying. Available on Enterprise plans; HIPAA-ready architecture is activated upon signed agreement.
• Physical postal address. Required by CAN-SPAM. Your business address appears in the footer of every recovery email and must be kept accurate.
• Honoring opt-outs. Our infrastructure handles opt-out detection and enforcement automatically. You agree not to manually re-contact a visitor who has opted out.

All data transmitted between visitor browsers, our tracker, and our backend is encrypted in transit via TLS 1.3. All data at rest in our Postgres database is encrypted using AES-256.

Multi-tenant isolation is enforced at the database level via row-level security policies. A customer can only ever read or write data tied to their own account. API keys are scoped per-customer and revocable from the dashboard.

We log all administrative access. We do not access individual customer lead data without a documented support request from the customer.

SOC 2 Type II audit is on the roadmap for late 2026. We are happy to share our security questionnaire with enterprise prospects under NDA.

AI voice callback is disabled by default for all new customers. Enabling it requires explicit acknowledgment of TCPA, FCC, and Texas SB 140 compliance responsibility, captured with timestamp and version in our database.

When AI voice callback is enabled, every call begins with a mandatory AI disclosure within the first 15 seconds, satisfying Texas SB 140 and FCC identification requirements.

Our AI concierge recognizes 14 opt-out trigger phrases (“stop,” “do not call,” “remove me,” “unsubscribe,” and similar). When detected, the call ends immediately and the phone number is added to our master Do Not Contact list, enforced across all channels (voice, SMS, email) for that visitor going forward.

Calls are placed only during the customer-configured call hours window and never during configured quiet hours. We do not place calls to numbers on the National Do Not Call Registry where the customer has indicated registry checking is required.

Lead data captured by ReCapture is retained while the customer account is active and the customer has not requested earlier deletion. Customers can request deletion of any lead at any time via the dashboard.

Opt-out records (Do Not Contact entries) are retained indefinitely as a matter of regulatory compliance. Removing an opt-out record requires a written request from the visitor themselves.

When a customer cancels their account, all lead data tied to that account is purged within 30 days of cancellation. Opt-out records remain.

California residents may exercise CCPA rights (access, deletion, opt-out of sale) by contacting privacy@userecapture.com. We do not sell visitor data to third parties.

We do not use visitor data to train AI models or for any purpose other than the recovery actions configured by our customers. Visitor data captured by ReCapture is used exclusively to fulfill the recovery workflow you have configured (email, SMS, voice) and is never used to train, fine-tune, or improve any machine learning model.

Material changes to our subprocessor list are communicated to active customers in advance via email.

ReCapture is built HIPAA-ready across all plans, with our subprocessor stack and architecture designed to support healthcare deployments. Business Associate Agreements are executed with HIPAA-covered customers on Enterprise plans, activated upon signed commitment.

We restrict our subprocessor stack for healthcare customers to vendors that themselves offer BAAs. Healthcare deployments may require additional configuration; contact our team to scope.

See our BAA page for the standard agreement terms.

For privacy questions, data subject access or deletion requests, or general compliance inquiries: privacy@userecapture.com

For security disclosures or vulnerability reports: security@userecapture.com

For BAA execution, enterprise legal review, or vendor security questionnaires: legal@userecapture.com

ReCapture is operated by Asherton Chraibi. Postal address available on request for legal correspondence; please email legal@userecapture.com to arrange.