Paddle customer handbook

What is Paddle?

Paddle helps SaaS companies grow faster with fewer distractions. Instead of wasting time, money, and resources assembling, maintaining, securing, and constantly updating a ‘best of breed’ payments stack, we do it all.

Because we’re a SaaS Merchant of Record, we take away 100% of the payments complexity—handling all payment routing, tax collection, compliance, invoicing, subscription management, renewals, reporting, and fraud protection.

SaaS companies can focus on building great products and generating value for customers—leaving all payment challenges to us. It’s faster, safer, simpler, and way better.

Our policies

We require that our software sellers:

• Have a website and only accept payments through their website, or apps using our SDKs.
• Never send their buyers the product checkout link directly as a means to collect payment. Payments should always be made through their website.
• Are never in possession of their buyer card details, for transactions processed through Paddle for PCI DSS Compliance reasons.
• Add this text on their website T&Cs - “Our order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries and handles returns”.
• Make it clear to buyers what products they’re paying for and what amount they’re committing to before the purchase (including making it clear if they’re entering into a subscription).
• Keep the product description clear to ensure the product’s capabilities and limitations are made very transparent. This should also be updated in the dashboard when adding a new product for compliance reasons.
• Take reasonable steps to let buyers correct errors in their orders.
• List their terms & conditions, refund policy, and buyer support details (email and phone number) clearly on their website.
• Make sure the buyer accepts their terms & conditions and refund policy before they make a purchase.
• Ensure an uninterrupted product fulfillment/activation once the buyer has completed payment.
• Don’t conduct any activities we construe as sales malpractices or deceptive sales tactics.
• Don’t sell products that are on our unsupported products list.
• Have clear product statement descriptors (this is what appears on your buyer’s card statements). So they can recognize what they bought, please use your website or main product’s name. This can be changed under Checkout -> Checkout Settings -> Transactions.
• Ensure you notify us of any changes in your refund policy, product T&C or contact details and update your website accordingly.

Best practices

We recommend the following:

• Have at least a 30-day money-back guarantee as part of their refund policy.
• Ask the buyer to confirm before they download content that they are aware that they only have 30 days to cancel or apply for a refund after the order completion date.
• Have a complaint policy with expected turnaround times for complaint resolution, as well as details for the appropriate trade ombudsman service, should the complaint not be resolved to the buyer’s satisfaction.
• Ensure that your website has an SSL certificate. Sites with SSL certificates have a “padlock” icon located at the top of your browser window as well as an “https” in the address bar. These confirm to your buyers that the page they’re on is secure and that their data is encrypted.

An ideal product fulfillment process would include:

• Display an order success page with the software license keys (if you use licenses) and simple instructions on how to activate post-purchase. If you’re creating your own success page, here are instructions on how to create a similar page yourself. Cross-selling is recommended, but you should not be interrupting the product activation flow at this stage in order to cross-sell.
• If you’re not using our product fulfillment, then ensure an email is instantly sent to the buyer with the software license keys (if you use licenses) and simple instructions on how to activate or get started. This will confirm the contract. We will always send an order receipt to the buyer to confirm the transaction as we are the merchant of record.
• The above email should also contain links to your terms & conditions, refund policy, buyer support, and a way for buyers to contact Paddle directly (usually through providing a link to Paddle.net).

Disputes

Disputes (or Chargebacks) occur when a buyer calls their bank or PayPal to dispute a charge.

This can be for many reasons, including:

• Fraudulent transaction.
• They don’t recognize the charge.
• Recurring billing cancellation.
• They didn’t receive the product.
• The product was not satisfactory.

Unfortunately, disputes are a common part of dealing with online payments, especially for digital goods sales. A buyer can chargeback a card payment up to 120 days after the product was delivered. We recommend that you try to resolve any customer payment issues early to avoid them escalating into a chargeback. Ensuring that your contact details are up to date with our Buyer Support Team will also ensure a seamless service and avoid delays that can lead to a dispute.

It’s important that you keep your dispute rate low. An average rate is in the region of 0.1-0.3% of transactions, however, a rate above 0.75% is unacceptable. We’ll send you a dispute notification whenever we receive a dispute from one of your buyers, we recommend keeping all dispute alerts always switched on (under vendor settings -> alerts).

When a dispute occurs, Paddle will fight on your behalf, submitting the relevant evidence to your buyer’s bank, or in the instance of misidentified transactions, we reach out to the buyer and attempt to resolve the situation for you. We’ll also email you asking for information we won’t have access to like any direct buyer communication or software usage logs that can aid your chances in winning chargebacks.

Chargebacks incur a fee of $15 (£15 or €15) for card payments and $20.00 (£20 or €20) for PayPal transactions, depending on the currency the user was charged in. We generally do not see a lot of PayPal chargebacks. Once a chargeback is received, the chargeback fee is passed onto you in addition to the original amount of the transaction and debited from your Paddle account.

If we win a dispute case for you, we return the original amount of the transaction back to your balance and refund any fees associated with the dispute.

Online fraud

Our aim is to protect our customers from fraud, so here are some tips to protect your online business from fraudulent buyers/purchases:

• Be vigilant of unusually large transactions or a buyer who has completed an unusually high number of transactions in a short period of time. Abnormal transaction activity or buyer behavior can be a sign of online fraud. We recommend additional checks like verifying your buyer’s identity or refunding unusually risky transactions to avoid the risk of a chargeback.
• Disputes come with a fee of up to $20 so when a chargeback is received, a software seller would not only lose the transaction amount, they’d also need to pay the additional. So it’s in your best interests to refund any transactions that may carry the risk of a chargeback.
• Ensure you have a secure online checkout process by including SSL checkout security on your checkout pages. Paddle’s checkout iframe already uses this security as it is hosted on an ‘https:’ page.
• Use enterprise-level antivirus software on all employee devices to protect your business from any type of malware attacks.
• Ensure you use strong passwords across your organization.
• Don’t store sensitive buyer information physically (on paper, files, etc); store this data virtually with secure 128-bit encryption.
• Any 3rd party software patch updates should always be up to date.
• Always retain any buyer communication and software usage reports to aid with your chances of winning chargebacks.

If you notice a suspicious buyer, please report them to help@paddle.com immediately.

Third-party fraud monitoring

Our aim is to protect our customers from fraud and help keep their dispute rates within the acceptable threshold, therefore we utilize third-party prevention tools to provide an additional layer of fraud protection. These alerts monitor and intercept transactions that have a confirmed chargeback risk due to fraud. We proactively return the funds to the authorized cardholder to avoid receiving a chargeback and keep within the acceptable chargeback ratio as set out by the card payment networks. A positive alert incurs a fee of $15.00, which is forwarded to you. This would keep your account’s dispute ratio within an acceptable threshold avoiding penalties including account closure.

PCI compliance

The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments.

Paddle is PCI DSS SAQ A Compliant - this means that we do not directly store card information and are PCI Compliant for web transactions only. As a result, any companies who use Paddle for software sales cannot store, process and transmit cardholder data either physically or virtually.

An example of a transaction that isn’t compliant is when a seller takes their buyer’s card details over the phone and processes a payment for software using the payment link themselves. The only way our customers can use Paddle for sales is through integrating our payment link into a working website or app.

GDPR compliance

The European Union (EU) introduced a landmark regulation called the General Data Protection Regulation (GDPR in short) in May 2018.

The goal of the GDPR is to give EU residents improved privacy rights and control over their personal data, protecting them from privacy breaches and leaks.

Every organization that handles, markets, or tracks the personal data of EU residents is liable, even if they’re not based in Europe. In the case of software companies who sell their products globally, this new regulation applies to them, no matter where they’re based.

There are strong penalties in place for non-compliance: up to €20m or 4% of global annual turnover, whichever is higher.

Making sure we were compliant, and in turn that the personal data of the buyers buying your products was treated correctly, whilst continuing to provide a great buyer experience has been an important focus for us when implementing the GDPR. Here are the main concepts of the GDPR:

Personal data requires lawful processing

This means that you shouldn’t buy email lists where you don’t know how consent was acquired, and we can’t enable newsletters to buyers if we don’t know whether they’ve consented to them.

Buyers should specify exactly what communications they want to receive from you

This means that the language explaining how you will contact them needs to be very clear and respect your buyers' opt-in preferences - leading to fewer unsubscribes and spam reports.

Buyers will have a right to transparency around the collection and processing of their data

This means that they’ll be able to ask us for the data we store on them and receive it in a simple format.

Buyers can request the right to be forgotten

This means that if asked, we will remove their personal data - letting you focus on the best buyers.

Implementing all of this could be complex

Just ask our in-house GDPR experts who have been looking into its correct application! We’ve rolled out changes to ensure that it is simple and straightforward for you and will always keep you informed.

To read more about GDPR at Paddle click here. For any data security questions or data removal requests email help@paddle.com.

Tax and compliance

Read more about tax and compliance at Paddle here.