Security & privacy

Read-only by design. Private by default.

Connecting a payment account is the most sensitive thing VerifiedMRR asks of you, so here is exactly what it can and cannot do — no marketing, just the mechanism. Every credential is read-only, encrypted before storage, and deletable in one click.

Three guarantees, plainly.

Read-only, always

Every provider credential grants read access only. VerifiedMRR physically cannot move money, issue refunds, change prices, or edit your products.

Encrypted at rest

Credentials are validated server-side and encrypted with AES-GCM before they are stored. They are never exposed back to the browser.

Delete in one click

Disconnect a provider and its stored credential is deleted. Delete your workspace and VerifiedMRR-owned data goes with it.

What VerifiedMRR can and cannot see.

What it reads

  • Balance transactions — the money in and out
  • Basic account metadata — which account, currency, status
  • Refund and dispute records tied to those transactions
  • Derived aggregates it computes: net, gross, refunds, trend

What it never touches

  • Your customers — no names, no emails, no lists
  • Card or payment-method data — none of it
  • Any ability to move money, refund, or change settings
  • Product, price, or subscription edits of any kind
Per provider

The exact credential each provider needs.

VerifiedMRR asks for the narrowest read-only credential each provider supports. You create it in the provider's own dashboard and can revoke it there at any time.
ProviderCredential you createWhat it grants
StripeRestricted API key (rk_…)Accounts, Balance, and Balance Transaction Sources — read only
Lemon SqueezyAPI keyRead access to orders and store metadata
PaddleAPI keyRead access to transactions (live or sandbox)
PolarOrganization access tokenRead access to orders for your organization
CreemAPI keyRead access to transaction records
Dodo PaymentsRead-only API keyRead access to payments
ChargebeeSite + API keyRead access to your Chargebee site's transactions
AdyenAPI key + account holder codeRead access to account-holder transactions
RevenueCatv2 secret API key + project IDcharts_metrics:overview:read — Charts & Metrics only
Keep exploring

Keep exploring

FAQ

Before you connect a provider.

Do you ever get my secret API key?

No. You create a restricted or read-only credential in the provider's dashboard and paste that. For Stripe it is a restricted key (rk_…), never your secret key.

Can VerifiedMRR move money or issue refunds?

No. Every credential is read-only. It physically cannot move money, refund, change prices, or edit products — the provider enforces that scope, not just us.

Where are my credentials stored?

Validated server-side and encrypted with AES-GCM before storage. They are never sent back to your browser, and disconnecting a provider deletes the stored credential.

Can you see my customers or their cards?

No. We read balance transactions and account metadata only — no customer names, emails, lists, or card data.

How do I delete everything?

Disconnect a provider to delete its credential, or delete your workspace to remove VerifiedMRR-owned data, subject to backups or records required for legal and billing reasons.

Who is behind VerifiedMRR?

It is a SimpleBytes project. Security or privacy questions go to [email protected].

See it before you connect anything.

Explore the sample dashboard free — no credentials required — then connect a read-only key when you trust it.

Preview free