Privacy Policy for PayByToken

1. Information We Collect

We collect the following types of information:

• Personal Information: When you create an Account, we may collect your email address, name, business details (if applicable), wallet addresses, and any other information you provide during registration or verification processes.
• Transaction Data: Details related to your use of the Services, including payment intents, invoices, transaction histories, wallet addresses generated for transactions, payout details, and blockchain-related data (e.g., on-chain transaction confirmations).
• Metadata: Custom data you provide through APIs or checkout sessions, which we encrypt for security.
• Device and Usage Information: Automatically collected data such as IP address, browser type, device identifiers, operating system, access times, and pages viewed.
• Compliance Information: If required for Know Your Customer (KYC) or Know Your Business (KYB) purposes, we may collect identification documents, proof of address, source of funds, or other verification data to comply with anti-money laundering (AML) and counter-terrorism financing (CTF) regulations.
• Communication Data: Information from emails, support requests, or other interactions with us.

We do not collect sensitive personal information (e.g., racial or ethnic origin, political opinions) unless required by law.

2. How We Collect Your Information

• Directly from You: When you register for an Account, integrate our APIs/SDKs, create payment intents or checkout sessions, request payouts, or contact us for support.
• Automatically: Through cookies, web beacons, and similar technologies when you interact with the Website or Services (e.g., logging transaction data via webhooks).
• From Third Parties: Blockchain networks for transaction confirmations, analytics providers for usage insights, or service providers for verification purposes.
• From Customers: Indirectly through your end-users (Customers) during payment processes, such as wallet transaction details, but we do not collect personal data from Customers unless you provide it via metadata.

3. How We Use Your Information

We use your information for the following purposes:

• Providing and Improving Services: To process transactions, generate unique wallet addresses, track payments, settle funds, provide dashboards and analytics, and enhance the Services.
• Compliance and Security: To verify identities (KYC/KYB), prevent fraud, comply with AML/CTF laws, sanctions, and other legal obligations.
• Communication: To send service-related notifications (e.g., via webhooks or email), respond to inquiries, and provide updates.
• Analytics and Research: To analyze usage patterns, improve features, and develop new services (in aggregated or anonymized form).
• Marketing: With your consent, to send promotional materials about our Services or related offerings.
• Legal Purposes: To enforce our Terms of Service, protect our rights, or respond to legal requests.

We process personal data based on legal grounds such as your consent, contract performance, legal obligations, or legitimate interests (e.g., security).

4. Sharing Your Information

We may share your information with:

• Service Providers: Third-party vendors for hosting, analytics, payment processing (e.g., blockchain nodes), security, or compliance services, bound by confidentiality agreements.
• Affiliates: Within our corporate group for internal operations.
• Legal and Regulatory Authorities: To comply with laws, subpoenas, court orders, or investigations (e.g., AML reporting).
• Business Transfers: In connection with mergers, acquisitions, or asset sales, where your data may be transferred.
• With Your Consent: For any other purpose you approve.

We do not sell your personal information. Sharing is limited to what is necessary and protected by appropriate safeguards.

5. Data Security

We implement reasonable technical, administrative, and physical measures to protect your information, including:

• Encryption of metadata and sensitive data in transit and at rest.
• Secure webhook signatures and one-time wallet addresses to prevent reuse attacks.
• Access controls, regular security audits, and fraud detection (Enterprise plan).
• Compliance with industry standards for data protection.

However, no system is completely secure. We cannot guarantee absolute security, especially for blockchain transactions which are public and immutable.

6. Data Retention

We retain your personal information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. For example:

• Account data: Retained while your Account is active and for 7 years thereafter for compliance.
• Transaction data: Retained for 7 years to meet AML/CTF requirements.
• Anonymized data: May be retained indefinitely for analytics.

When no longer needed, we securely delete or anonymize data.

7. Your Privacy Rights

Depending on your jurisdiction (e.g., under Hong Kong's Personal Data (Privacy) Ordinance (PDPO), GDPR for EU residents, or CCPA for California residents), you may have rights such as:

• Access: Request a copy of your personal data.
• Correction: Update inaccurate information.
• Deletion: Request erasure of your data (subject to legal exceptions).
• Objection: Object to processing based on legitimate interests.
• Restriction: Limit processing in certain cases.
• Portability: Receive your data in a structured format.
• Withdraw Consent: Where processing relies on consent.

To exercise these rights, contact us at support@paybytoken.io. We will respond within a reasonable timeframe (e.g., 30 days under GDPR). We may require verification of your identity.

8. International Data Transfers

Your data may be processed and stored in Hong Kong or other countries where our service providers operate. We ensure appropriate safeguards, such as standard contractual clauses or adequacy decisions, for transfers outside Hong Kong or the EEA.

9. Cookies and Similar Technologies

We use cookies, pixels, and local storage for functionality, analytics, and advertising. You can manage preferences via your browser settings. Essential cookies are required for the Services; others require consent.

For details, see our Cookie Policy (if separate; otherwise, incorporated here).

10. Children's Privacy

The Services are not intended for individuals under 18 years old (or the age of majority in your jurisdiction). We do not knowingly collect data from children. If we learn of such collection, we will delete it promptly.

11. Changes to This Privacy Policy

We may amend this Policy to reflect changes in our practices or legal requirements. The "Last Updated" date indicates the latest revision. Material changes will be notified via email or the Website.

12. Contact Us

For questions, concerns, or requests regarding this Policy, contact our Data Protection Officer at:

Email: support@paybytoken.io

Address: Binatir Limited, Hong Kong.