Privacy Policy

Antiff operates the Services for businesses (each a “Customer” or “Merchant”) that use Antiff to recover revenue from payment disputes (chargebacks). The Services interact with two distinct categories of personal information, and Antiff plays different roles with respect to each:

Merchant personal information. When an individual signs up to use Antiff on behalf of a Merchant, configures the Services, or contacts Antiff for support, Antiff acts as the controller (or business, under U.S. state law) of that personal information. Examples include account, contact, billing, and usage information for the Merchant’s Authorized Users.

Cardholder personal information. When Antiff retrieves dispute records and supporting evidence from a Merchant’s Payment Processors and Connected Services, those records may include personal information about the cardholder (the end consumer who initiated the disputed transaction). With respect to that cardholder personal information, Antiff acts as a processor (or service provider, under U.S. state law) on the Merchant’s behalf, and the Merchant is the controller. Antiff processes that information only as instructed by the Merchant and only for the purpose of defending the specific dispute in which it appears.

If you are a cardholder seeking to exercise rights with respect to your personal information that a Merchant has shared with Antiff, please contact the Merchant directly. Antiff will support the Merchant in responding to your request as required by applicable law.

Antiff collects information in the categories described below.

Account and identity information. Name, email address, work telephone number, job title, business name, business website, country of operation, and the credentials Antiff’s authentication provider needs to verify the user (handled by Antiff’s authentication Sub-Processor; Antiff does not store passwords).

Business profile information. Business description, industry classification, company size, contact information for support, refund policy, terms of service, shipping policy, cancellation policy, and privacy policy text and URLs the Merchant publishes or that Antiff retrieves at the Merchant’s direction from the Merchant’s public website.

Integration metadata. The list of third-party services the Merchant has connected (such as Payment Processors, e-commerce platforms, customer-relationship-management tools, helpdesks, communication platforms, fulfillment platforms, and analytics services), the connection identifiers and tokens that authorize Antiff to access those services on the Merchant’s behalf, and the configuration the Merchant has chosen for each integration.

Dispute and transaction information. Records about payment disputes (including reason codes, deadlines, dispute identifiers, dispute status, and the gross and net amounts involved), records about the underlying charge and customer order, evidence files the Merchant uploads or that Antiff retrieves from a Connected Service (such as receipts, shipping confirmations, support transcripts, and contracts), and the dispute defense narratives Antiff’s system composes.

Cardholder personal information appearing in dispute records. Cardholder name, email address, billing and shipping address, partial card number (typically last four digits), card brand, IP address, device fingerprint, and any other personal information appearing in evidence the Merchant submits or that Antiff retrieves on the Merchant’s behalf in connection with a dispute.

Billing information. Information needed to charge the Merchant for Antiff’s commissions, including a payment-method token issued by Antiff’s payment-processing Sub-Processor, billing address, tax identifiers, and invoice and payment history. Antiff does not collect, store, or transmit raw payment-card numbers; payment-card details are tokenized by the payment-processing Sub-Processor.

Communications. The content of messages and questions that Authorized Users submit to Antiff via the dashboard, email, or other support channels, and Antiff’s responses.

Usage and technical information. Log records of how the Services are used (including pages viewed, actions taken, timestamps, referring URLs, IP address, browser and device characteristics, and operating-system information), error reports and stack traces (which Antiff sends to its error-monitoring Sub-Processor with personal information stripped where practical), and metrics about the performance and reliability of the Services.

Cookies and similar technologies. Information collected through cookies, local storage, and similar technologies as described in the “Cookies and similar technologies” section below.

Antiff collects information from the following sources.

• Directly from Authorized Users when they sign up, configure the Services, upload documents, or contact Antiff for support.
• From a Merchant’s Connected Services and Payment Processors when an Authorized User authorizes Antiff to retrieve data on the Merchant’s behalf.
• From the Merchant’s public website, when an Authorized User pastes the website’s URL into the onboarding wizard. Antiff fetches the landing page and a small number of linked policy pages and uses an artificial-intelligence model to extract structured business information from the fetched text. Antiff identifies its automated requests with the user agent “AntiffProfileBot.”
• From third-party providers Antiff engages to operate the Services, such as Antiff’s authentication, payments, hosting, and error-monitoring providers, in the course of providing those operational functions.
• Automatically from the Authorized User’s browser or device when an Authorized User accesses the Services, such as IP address, device characteristics, and cookie identifiers.

Antiff uses the information described above for the purposes set out below. Where the General Data Protection Regulation (GDPR) or another similar law applies, Antiff relies on the legal bases identified in parentheses.

• To provide the Services to Merchants, including ingesting disputes, retrieving evidence, composing defenses, and submitting defenses to Payment Processors (performance of a contract; legitimate interests of the Merchant).
• To bill Merchants for the commissions earned on Recovered Funds and to collect payment (performance of a contract; legitimate interests in operating Antiff’s business).
• To communicate with Authorized Users about their account, the Services, billing, security incidents, and changes to terms or policies (performance of a contract; legitimate interests in keeping users informed).
• To respond to support requests, troubleshoot issues, and improve the quality of support (legitimate interests in providing effective support).
• To operate, maintain, secure, monitor, evaluate, and improve the Services and Antiff’s underlying models, tooling, and integrations, including by analyzing usage patterns and aggregating data after de-identification (legitimate interests in operating and improving the Services).
• To detect, investigate, and prevent fraud, abuse, security incidents, and other harmful activity, and to comply with audit and accounting obligations (legitimate interests in protecting Antiff and its customers; legal obligations).
• To comply with applicable law, legal process, and the rules of card networks and Payment Processors, and to enforce Antiff’s rights and contracts (legal obligations; legitimate interests).
• With the Merchant’s consent, for any other purpose described to the Authorized User at the time of collection (consent).

Antiff uses third-party artificial-intelligence models, including Anthropic Claude, to extract business context from the Merchant’s public website during onboarding, to validate evidence the Merchant uploads, to compose dispute defense narratives, and to operate Antiff’s in-product copilot.

When Antiff calls a third-party AI model, the prompt and any context Antiff sends are processed under the AI provider’s data-processing terms. Antiff configures its integrations so that the third-party AI provider does not use Customer Content to train its underlying models, where the provider offers an opt-out. Antiff retains AI inputs and outputs as described in the “Retention” section below.

AI Outputs are generated probabilistically and may contain errors. The Merchant remains responsible for selecting the defense automation mode (autopilot, assisted, or manual) appropriate for the Merchant’s risk tolerance, and Antiff offers assisted and manual modes precisely so a human can review AI Outputs before submission.

Antiff treats cardholder personal information as a special category of Customer Content that Antiff processes only on the Merchant’s behalf and only to the extent necessary to defend the specific dispute in which it appears. Antiff does not use cardholder personal information for advertising, profiling, scoring, or any purpose unrelated to the dispute.

Antiff does not sell cardholder personal information. Antiff does not share cardholder personal information with third parties except (a) with Sub-Processors who provide hosting, storage, AI processing, or transmission of the dispute defense to the Payment Processor, (b) with the Payment Processor itself, on the Merchant’s instruction, and (c) where required by law, regulation, or legal process. The Merchant remains the controller of the cardholder personal information.

Antiff engages the Sub-Processors and service providers listed below to operate the Services. The list is updated from time to time. Material changes to the list will be reflected on this page; Merchants subject to a Data Processing Addendum may also receive direct notice as required by that addendum.

• Vercel Inc. — application hosting and content delivery. Region: United States.
• Supabase, Inc. — Postgres database, file storage for evidence uploads, and real-time messaging. Region: United States.
• Clerk, Inc. — authentication, session management, and password handling. Region: United States.
• Anthropic PBC — large-language-model inference for business-profile extraction, evidence validation, defense composition, and the Antiff copilot. Region: United States.
• Composio Inc. — broker for OAuth connections and API calls to the Merchant’s Connected Services. Region: United States.
• Stripe, Inc. — payment processing for Antiff’s billing of Merchants for earned commissions. Region: United States.
• Resend (Resend, Inc.) — transactional email delivery for product notifications and billing communications. Region: United States.
• Inngest, Inc. — durable workflow execution for asynchronous jobs (poll cycles, defense composition, validation, submission, billing runs). Region: United States.
• Functional Software, Inc. (Sentry) — error monitoring and performance telemetry from the application’s server and client runtimes. Region: United States.
• Doppler, Inc. — secrets management for application configuration. Region: United States.

Antiff shares personal information only as described in this Policy.

• With Sub-Processors and service providers, as listed above, who process personal information on Antiff’s behalf and under contractual confidentiality and security obligations.
• With the Merchant’s Payment Processors, in order to submit dispute defense materials at the Merchant’s direction.
• With other parties at the Merchant’s direction, such as when the Merchant exports its data or instructs Antiff to share data with the Merchant’s own service providers.
• With professional advisers (such as auditors, lawyers, and accountants), when reasonably necessary to operate Antiff’s business and subject to confidentiality obligations.
• With law-enforcement authorities, regulators, or other parties when Antiff believes in good faith that disclosure is required to comply with law, legal process, or governmental request, or to protect the rights, property, or safety of Antiff, its customers, or the public.
• With an acquirer or successor in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or substantially all of Antiff’s assets, in which case personal information may be transferred subject to the recipient’s commitment to honor the relevant terms of this Policy.
• With the consent of the individual whose personal information is being shared.

Antiff is headquartered in the United States and operates a U.S.-based infrastructure. When Antiff processes personal information that originates in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border-transfer restrictions, Antiff and its Sub-Processors rely on appropriate transfer mechanisms (such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum) to provide an adequate level of protection.

Merchants subject to such restrictions may execute a Data Processing Addendum with Antiff that incorporates the applicable transfer mechanisms. Contact support@antiff.io to request the addendum.

Antiff retains personal information for as long as needed to provide the Services, to comply with legal obligations, to resolve disputes, and to enforce agreements. Specific retention practices include:

• Active dispute records and defense documents are retained for the duration of the Merchant relationship, plus an additional period during which a Payment Processor or card network may reopen, reverse, or audit a dispute.
• Closed dispute outcomes (status, win or loss, recovered amount, billable record) are retained for up to seven (7) years from closure for accounting, tax, regulatory, and audit purposes.
• Evidence files in the dispute-evidence storage bucket are retained for the period above and are isolated by row-level security so that each Merchant can only access its own files.
• Account and billing records are retained for the duration of the Merchant relationship and for the period required by applicable tax and accounting law (typically up to seven (7) years).
• Server access logs, application logs, and error reports are retained for up to ninety (90) days for security and reliability purposes.
• Email communications are retained for the duration of the Merchant relationship and for a reasonable period afterward.
• After the applicable retention period ends, Antiff deletes or de-identifies the corresponding personal information from active systems on a regular schedule, except where law requires longer retention or where the data is subject to a legal hold.

Antiff implements technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Those measures include encryption in transit (TLS) and at rest, role-based access control, principle-of-least-privilege access for Antiff personnel, isolated tenant data via row-level security in the Antiff database, scoped storage buckets for evidence files, audit logging, automated vulnerability scanning, and continuous error and anomaly monitoring.

No method of transmission or storage is completely secure, however, and Antiff cannot guarantee the absolute security of personal information. If Antiff becomes aware of a breach of personal information that affects a Merchant, Antiff will notify the Merchant promptly and in any event within the timeline required by applicable law.

Depending on where you are located, you may have rights with respect to your personal information. Antiff supports the rights described below subject to applicable law and to verifying your identity.

• The right to access the personal information Antiff holds about you and to receive a copy in a portable format.
• The right to correct inaccurate personal information and to complete incomplete personal information.
• The right to delete personal information, subject to applicable retention obligations and to exceptions in the law.
• The right to restrict or object to certain processing.
• The right to withdraw consent where Antiff relies on consent (without affecting the lawfulness of processing already carried out).
• The right to opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising. Antiff does not sell or share personal information for cross-context behavioral advertising.
• The right to lodge a complaint with a supervisory authority, such as a data-protection authority in the European Economic Area or the U.K. Information Commissioner’s Office.
• Where required by U.S. state law, the right not to receive discriminatory treatment for exercising any of the rights above.

To exercise any of the rights described above with respect to personal information that Antiff holds as a controller, contact support@antiff.io with the subject line “Privacy Request.” Antiff may need to verify your identity before fulfilling the request.

If you are a cardholder seeking to exercise rights with respect to personal information that a Merchant has shared with Antiff, please contact the Merchant directly. Antiff will support the Merchant’s response as required by applicable law and the Merchant’s instructions.

Authorized agents may submit requests on behalf of a consumer where applicable law allows. Antiff may require the agent to provide proof of authority and may require the consumer to verify the agent’s identity directly.

Antiff uses cookies, local storage, and similar technologies to operate the Services, to recognize Authorized Users across pages and sessions, to remember preferences (such as language), and to measure performance and reliability. The categories Antiff uses are:

• Strictly necessary cookies that are required to operate the Services, including authentication, session management, and load balancing.
• Functional cookies that remember user preferences (for example, the locale cookie that records the user’s language choice and the in-product copilot configuration).
• Performance and analytics cookies that measure how the Services are used so Antiff can improve them. Antiff aggregates and de-identifies the data collected through these cookies before using it for product analytics.
• Error-monitoring telemetry that captures unhandled errors and performance traces from the application. Antiff configures its error-monitoring provider to scrub known categories of personal information (such as authorization headers, cookies, and request bodies) before events leave the user’s device.

Antiff does not currently use cookies for cross-site behavioral advertising. Browser settings allow users to block or delete cookies; doing so may impair the operation of the Services.

Antiff does not track Authorized Users across third-party websites for advertising purposes and does not respond to “Do Not Track” signals because there is no consensus on how Do Not Track should be interpreted. Antiff honors a Global Privacy Control (GPC) signal received from an Authorized User’s browser as a request to opt out of any future “sale” or “sharing” of personal information that may be subject to U.S. state law.

The Services are intended for businesses and the individuals who operate them. The Services are not directed to children under the age of 16, and Antiff does not knowingly collect personal information from children. If Antiff becomes aware that a child has provided personal information to Antiff, Antiff will delete that information.

Antiff’s defense automation feature can submit dispute defenses to a Payment Processor on the Merchant’s behalf without prior human review when the Merchant configures the Service in autopilot mode. The decision to submit is made by Antiff’s software based on the Merchant’s configured rules (such as a minimum win-score threshold and a minimum disputed amount). The Merchant chooses the mode and may switch to assisted or manual mode at any time. The decision to submit a dispute defense does not produce a legal effect for the cardholder; the underlying outcome of the dispute is decided by the card network and issuing bank, not by Antiff.

Antiff may update this Privacy Policy from time to time. When Antiff makes a material change, Antiff will update the “effective date” at the top of this page and provide notice to Merchants by email or in the dashboard before the change takes effect, where required by applicable law.

If you do not agree with a material change, you may cancel your account before the change takes effect. Continued use of the Services after the effective date constitutes acceptance of the updated Policy.

Antiff Inc. is a Delaware corporation. For questions about this Privacy Policy or to exercise any of the rights described above, contact support@antiff.io with the subject line “Privacy Request.”

Where required by applicable law, Antiff will appoint a representative or data protection officer and update this section to reflect that appointment.