A customer who requests a refund and receives no acknowledgment has no idea whether the request was received, is being processed, or was silently rejected. Under GDPR Art. 12, data subjects must receive transparent communication about actions taken on their financial data. Without a refund initiation email, customers default to disputing the charge with their bank — a chargeback that costs you the dispute fee on top of the refund itself. The notification is also the correct moment to set expectations: '5–10 business days' in an email beats a support ticket asking the same question.
Low because missing refund notifications increase chargeback rates and support contact volume without directly corrupting order data or enabling unauthorized access.
Add a refund initiation email to the refund handler at app/api/orders/[id]/refund/route.ts immediately after the refund record is created.
// After db.refund.create() in app/api/orders/[id]/refund/route.ts:
await sendRefundInitiatedEmail({
to: order.user.email,
orderNumber: order.id,
refundAmount: amount,
currency: 'USD',
processingDays: '5-10 business days',
refundId: providerRefund.id,
})
If Stripe is configured to send its own refund receipts, document that decision in lib/email/order-emails.ts as a comment rather than silently relying on it — provider defaults can change.
ID: ecommerce-order-management.notifications.refund-email
Severity: low
What to look for: When a refund is initiated, count the email service calls in the refund handler (at least 1 required). Enumerate which data fields are passed to the refund email template — the notification should include at least 3 of: refund amount, order number, expected processing timeline (e.g., "5-10 business days"), and a reference number. Check whether the notification distinguishes between refund initiated versus refund completed. Quote the exact email function name if found.
Pass criteria: At least 1 refund notification email is sent when a refund is initiated. The email passes at least 2 refund data fields (refund amount and either processing timeline or refund ID). The customer is not left wondering whether their refund request was received. A refund handler that creates a refund record but makes 0 email calls does not count as pass.
Fail criteria: No email is sent when refunds are initiated (0 email calls in the refund handler). Customers must contact support to confirm whether their refund was processed.
Skip (N/A) when: The project does not support refunds. Or the payment provider (Stripe) is explicitly configured to send its own refund receipts and the codebase documents this delegation decision. No refund handler exists.
Detail on fail: "The refund handler at src/app/api/orders/[id]/refund/route.ts calls stripe.refunds.create() and creates a refund record but makes 0 email calls to the customer. Customers have no confirmation that the refund is in progress."
Remediation: Add refund notification when the refund is initiated in app/api/orders/[id]/refund/route.ts:
// After creating the refund record (in app/api/orders/[id]/refund/route.ts):
await sendRefundInitiatedEmail({
to: order.user.email,
orderNumber: order.id,
refundAmount: amount,
currency: 'USD',
processingDays: '5-10 business days',
refundId: providerRefund.id,
})
If your payment provider also sends its own refund notifications (Stripe does by default), consider whether sending a second email creates confusion. If so, you may be able to rely on the provider's notification and skip this application-level email — but document that decision explicitly.