Privacy Policy

PAAY Inc. (“PAAY,” “we,” “us,” or “our”) is committed to protecting the privacy and security of the information we collect and process. This Privacy Policy describes how we collect, use, disclose, and safeguard information in connection with our EMV 3-D Secure authentication services, APIs, dashboards, website, and related tools (collectively, the “Services”).

1. Information We Collect

Information You Provide

• Account Information: When you register for our Services, we collect your business name, contact name, email address, phone number, and billing information.
• Contact Form Submissions: When you contact us through our website, we collect the information you provide, such as your name, email, company, and message content.
• Support Communications: We retain records of communications with our support team to improve our Services.

Transaction Data

In the course of providing 3DS authentication services, we process transaction data submitted by merchants through our APIs. This may include:

• Card number (PAN), expiration date, and cardholder name
• Transaction amount and currency
• Merchant and acquirer identifiers
• Device and browser information for risk-based authentication
• Billing and shipping addresses when provided
• Authentication results and status codes

Transaction data is processed solely to provide authentication services and is handled in accordance with PCI DSS requirements and card network rules.

Automatically Collected Information

• Usage Data: We collect information about how you interact with our website and dashboard, including pages visited, features used, and access times.
• Device Information: We collect browser type, operating system, IP address, and device identifiers.
• Cookies: We use cookies and similar technologies as described in the Cookies section below.

2. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain our 3DS authentication Services
• Process and complete authentication requests
• Generate analytics, reports, and dashboards for merchants
• Communicate with you about your account, service updates, and support inquiries
• Monitor and improve the performance, security, and reliability of our Services
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal obligations, card network rules, and regulatory requirements
• Send marketing communications (with your consent, where required)

3. How We Share Information

We may share information with the following parties:

• Card Networks and Issuers: Transaction data is shared with card networks (Visa, Mastercard, etc.) and card-issuing banks as required to complete the 3DS authentication process.
• Service Providers: We use trusted third-party providers for hosting, analytics, email delivery, and other operational functions. These providers are contractually bound to protect your data and use it only for the services they provide to us.
• Legal Requirements: We may disclose information when required by law, regulation, legal process, or enforceable governmental request.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.

We do not sell personal information to third parties. We do not use transaction data for advertising purposes.

4. Data Security

We implement industry-standard security measures to protect your information, including:

• Encryption of data in transit (TLS) and at rest
• PCI DSS Level 1 compliance for payment data handling
• Access controls and authentication for all systems
• Regular security assessments and penetration testing
• Monitoring and logging of system access

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

We retain information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Transaction authentication data is retained in accordance with card network requirements and applicable regulations. When data is no longer needed, it is securely deleted or anonymized.

6. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to:

• Essential Cookies: Enable core website functionality such as navigation and secure access to authenticated areas.
• Analytics Cookies: Help us understand how visitors interact with our website so we can improve the user experience.
• Marketing Cookies: Used to deliver relevant content and measure the effectiveness of our communications.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our website.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request that we delete your personal information, subject to legal and contractual retention requirements.
• Objection: Object to the processing of your personal information in certain circumstances.
• Portability: Request your personal information in a structured, commonly used format.
• Opt-Out: Unsubscribe from marketing communications at any time.

To exercise any of these rights, contact us at info@paay.co. We will respond to your request within 30 days.

8. California Privacy Rights

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale of personal information. As noted above, we do not sell personal information. To make a request under the CCPA, contact us at info@paay.co.

9. International Data Transfers

PAAY is based in the United States. If you access our Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate. We take appropriate measures to ensure that your information receives an adequate level of protection in the jurisdictions in which we process it.

10. Children's Privacy

Our Services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will post the updated policy on our website and update the “Last updated” date. We encourage you to review this page periodically.