diff --git a/docker/ss-atlas/internal/handlers/subscription.go b/docker/ss-atlas/internal/handlers/subscription.go
index f8255fe..8e5eb0e 100644
--- a/docker/ss-atlas/internal/handlers/subscription.go
+++ b/docker/ss-atlas/internal/handlers/subscription.go
@@ -72,41 +72,41 @@ func (a *App) handleSuccess(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Check if user is already an active customer (resubscribe case)
 	inGroup, _ := a.ldap.IsInGroup(result.Username, "customers")
-	if inGroup {
-		// Returning customer: ensure stack exists, go to dashboard
-		stackName := fmt.Sprintf("customer-%s", result.Username)
-		exists, _ := a.swarm.StackExists(stackName)
-		if !exists {
-			if err := a.swarm.DeployStack(stackName, result.Username, a.cfg.TraefikDomain); err != nil {
-				log.Printf("resubscribe: stack deploy failed for %s: %v", result.Username, err)
-			}
+
+	if result.IsNew || !inGroup {
+		// New or lapsed customer: send password setup email, show onboarding.
+		// Group membership and stack deploy happen on /activate after they log in.
+		if err := a.triggerPasswordReset(result.Username); err != nil {
+			log.Printf("authelia reset trigger failed for %s: %v", username, err)
+		}
+		data := map[string]any{
+			"Username":     result.Username,
+			"IsNew":        result.IsNew,
+			"Email":        email,
+			"LoginURL":     a.cfg.AutheliaURL,
+			"ResetURL":     a.cfg.AutheliaURL + "/#/reset-password/step1",
+			"ActivateURL":  a.cfg.AppURL + "/activate",
+			"DashboardURL": a.cfg.AppURL + "/dashboard",
+			"InstanceURL":  "https://" + result.Username + "." + a.cfg.CustomerDomain,
+		}
+		if err := a.tmpl.ExecuteTemplate(w, "welcome.html", data); err != nil {
+			log.Printf("template error: %v", err)
+			http.Error(w, "internal error", http.StatusInternalServerError)
 		}
-		log.Printf("resubscribe: %s payment verified, redirecting to dashboard", result.Username)
-		http.Redirect(w, r, a.cfg.AppURL+"/dashboard", http.StatusSeeOther)
 		return
 	}
 
-	// New or lapsed customer: send password setup email, show onboarding.
-	// Group membership and stack deploy happen on /activate after they set a password.
-	if err := a.triggerPasswordReset(result.Username); err != nil {
-		log.Printf("authelia reset trigger failed for %s: %v", username, err)
-	}
-	data := map[string]any{
-		"Username":     result.Username,
-		"IsNew":        true,
-		"Email":        email,
-		"LoginURL":     a.cfg.AutheliaURL,
-		"ResetURL":     a.cfg.AutheliaURL + "/#/reset-password/step1",
-		"ActivateURL":  a.cfg.AppURL + "/activate",
-		"DashboardURL": a.cfg.AppURL + "/dashboard",
-		"InstanceURL":  "https://" + result.Username + "." + a.cfg.CustomerDomain,
-	}
-	if err := a.tmpl.ExecuteTemplate(w, "welcome.html", data); err != nil {
-		log.Printf("template error: %v", err)
-		http.Error(w, "internal error", http.StatusInternalServerError)
+	// Returning active customer: ensure stack exists, go to dashboard
+	stackName := fmt.Sprintf("customer-%s", result.Username)
+	exists, _ := a.swarm.StackExists(stackName)
+	if !exists {
+		if err := a.swarm.DeployStack(stackName, result.Username, a.cfg.TraefikDomain); err != nil {
+			log.Printf("resubscribe: stack deploy failed for %s: %v", result.Username, err)
+		}
 	}
+	log.Printf("resubscribe: %s payment verified, redirecting to dashboard", result.Username)
+	http.Redirect(w, r, a.cfg.AppURL+"/dashboard", http.StatusSeeOther)
 }
 
 func (a *App) handlePortal(w http.ResponseWriter, r *http.Request) {