Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Recurly is a US based subscription billing and recurring revenue platform headquartered in San Francisco that powers subscription lifecycle, dunning, revenue recognition and recurring invoicing for SaaS, streaming and digital media companies. Recurly.js tokenises card and bank input in a PCI compliant iframe loaded from js.recurly.com. Recurly is a processor (not a merchant of record), processing happens on AWS US East with optional EU residency on AWS Frankfurt for enterprise plans.
Recurly is a subscription billing platform incorporated as Recurly Inc. in San Francisco, California, founded in 2009. It powers recurring revenue for SaaS companies, streaming services, digital publishers and consumer subscription brands. Recurly handles plans and add ons, free trials, taxes (with TaxJar or Avalara), dunning, revenue recognition, churn analytics and customer self service portals. It connects to Stripe, Braintree, Adyen, Worldpay and many other payment gateways as the underlying processor.
Recurly.js is loaded from js.recurly.com on the seller''s subscription or checkout page. It opens an iframe served from api.recurly.com that captures the card or bank account input directly in the PCI scope of Recurly, returns a token to the seller''s frontend and never exposes the raw PAN. The iframe sets first party Recurly cookies (recurly_session, recurly_csrf, recurly_risk) used to maintain the in progress checkout and to score risk. Server side, Recurly stores subscription metadata, invoices and tokenised card references.
Recurly is a processor for the seller under Art. 28 GDPR. The strictly necessary cookies on the Recurly.js iframe are exempt from prior consent under Art. 5(3) ePrivacy because they are needed for the requested payment service. The seller remains the controller for the subscription data and the merchant for VAT, although Recurly can compute and remit taxes when integrated with TaxJar or Avalara.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
By default, Recurly processes EU subscription data on AWS US East 1 and US West 2. EU data residency on AWS Frankfurt (eu central 1) is available as a contractual add on. The Recurly DPA incorporates the EU Standard Contractual Clauses (modules 2 and 3) and the UK International Data Transfer Addendum, and Recurly is self certified under the EU US Data Privacy Framework. A Transfer Impact Assessment should evaluate US surveillance laws.
Sign the Recurly DPA, request EU data residency if available on your plan, mention Recurly as a processor in your privacy notice and Article 30 record, document the US transfer with SCCs and DPF and run a Transfer Impact Assessment. Keep card data off your servers by using Recurly.js. No cookie banner update is needed for the hosted iframe itself, but optional analytics on the same page must remain in a consent gated tag manager.
Websites using Recurly must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is not normally required for using Recurly as a billing processor. It can become appropriate when Recurly subscription data is combined with extensive customer profiling, dynamic pricing, AI driven dunning or special category data tied to subscription tiers.
Sample consent text
Recurring payments on this site are powered by Recurly (Recurly Inc., United States). Recurly tokenises your card and bank input in a PCI compliant iframe, processes subscription data on AWS US East and supports an EU residency option on AWS Frankfurt. International transfers are covered by Standard Contractual Clauses and the EU US Data Privacy Framework. Recurly is our processor, not the merchant of record.
Third-party domains contacted
recurly.comjs.recurly.comapi.recurly.comapp.recurly.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| recurly_session | third_party | Session | Strictly necessary session cookie set on the Recurly hosted iframe to keep the in progress checkout while the customer is entering payment data. |
| recurly_csrf | third_party | Session | CSRF protection token used to validate the payment form submission on the Recurly hosted iframe. |
| recurly_risk | third_party | 30 minutes | Strictly necessary fraud risk cookie used by Recurly for transaction risk scoring during the checkout. |
Recurly uses cookies for user preferences — inform visitors with a consent banner.
Recurly.js loads an iframe served from api.recurly.com that sets strictly necessary first party cookies on the Recurly hosted domain: recurly_session (session cookie keeping the checkout), recurly_csrf (CSRF protection) and recurly_risk (fraud risk score during the transaction).
No. The Recurly.js iframe cookies are strictly necessary to deliver the payment service the customer has initiated and are exempt from prior consent under Art. 5(3) ePrivacy. The customer's active choice to subscribe is the legal basis under Art. 6(1)(b) GDPR.
Contract performance (Art. 6(1)(b) GDPR) for subscription billing data. Legal obligation (Art. 6(1)(c)) for tax records on the seller side. Strictly necessary cookies are exempt under Art. 5(3) ePrivacy.
Yes. Recurly Inc. is established in the United States and processes EU subscription data on AWS US East 1 and US West 2 by default. EU residency on AWS Frankfurt is available as an enterprise add on. The Recurly DPA includes the EU SCCs and the UK IDTA, and Recurly is self certified under the EU US Data Privacy Framework.
Standard subscription billing through Recurly does not normally require a DPIA. It can become appropriate when Recurly subscription data is combined with extensive customer profiling, dynamic pricing, AI driven dunning or special category data tied to subscription tiers.
Sign the Recurly DPA, request EU residency if your plan allows it, integrate Recurly.js to keep card data outside your servers, mention Recurly as a processor in your privacy notice and Article 30 record, document the US transfer with SCCs and DPF and run a Transfer Impact Assessment.
Subscription billing alternatives include Stripe Billing (Ireland and US with DPF), Chargebee (US with EU residency), Zuora (US with EU residency), Paddle (UK MoR), Maxio / SaaSOptics (US), Adyen Subscriptions (Netherlands) and Mollie subscriptions (Netherlands).
You do not need a banner update for the hosted Recurly.js iframe (strictly necessary cookies). In your privacy notice describe Recurly as your subscription billing processor, the US storage on AWS, the SCCs and DPF and the EU residency option for enterprise plans.