Privacy Policy

1. Introduction

This Privacy Policy explains how our cryptocurrency payment gateway service (the “Company”, “we”, “us” or “Platform”) collects, uses, stores, and discloses personal information of users. We are a Canada-registered company providing crypto-only merchant payment processing services globally. We are committed to protecting your privacy and safeguarding personal data. We implement all necessary legal, technical, and organizational measures to ensure the confidentiality, integrity, and availability of your personal information. Our data handling practices comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

By using our Platform, you agree to the collection and use of information in accordance with this Policy. If you do not agree, please discontinue use of the services.

2. Personal Data We Collect

We minimize the personal data we collect, gathering such information mainly in cases where enhanced verification is required for compliance or security (e.g. high-risk transactions flagged under our Anti-Money Laundering (AML) procedures). The types of personal data we may collect include:

• Account Information: at sign-up we collect your email address and a password (stored only in hashed form). We also store the two-factor authentication (TOTP) secret you generate when you enable 2FA. We do not collect your name, address, or any other identity attributes at sign-up.
• Marketing Attribution Data: when you arrive at our website from a marketing campaign, we record the standard UTM parameters (utm_source, utm_medium, utm_campaign,utm_term, utm_content) that are present in the URL and associate them with the resulting account so we can measure channel effectiveness. We do not place advertising cookies or use third-party advertising trackers.
• Merchant Verification Data (KYB): when you create a merchant, you are asked to complete a KYB form. For an individual merchant we collect your full legal name, date of birth, residential address, nationality, country of residence or operation, contact phone number (optional), business description and category, expected monthly payment volume, average transaction size, operating countries, customer geographies, source-of-funds information, source-of-wealth information where provided, regulatory licence details where applicable, and a prohibited-business attestation. For a legal entity we collect the registered legal name, registration number, tax identifier (if applicable), legal address, country of incorporation, directors, beneficial owners or controllers, authorised representative name and role, business description and category, expected monthly payment volume, average transaction size, operating countries, customer geographies, source-of-funds information, source-of-wealth information where provided, regulatory licence details where applicable, and ownership/prohibited-business attestations. Director, authorised-representative, beneficial-owner and controller records may include full legal name, role or control type, residential address, date of birth, nationality, and ownership percentage where applicable. This information is necessary to comply with our AML obligations.
• Transaction Data: details related to cryptocurrency transactions processed through our gateway, such as blockchain wallet addresses, transaction IDs, hashes, and amounts. These by themselves usually do not identify individuals, but they are associated with your account activity.
• High-Risk Verification Data (KYC):in the event of a flagged high-risk transaction or account activity, we may require you to undergo identity verification. In such cases, additional personal data is collected directly by our KYC provider, AMLBot (operated by Safelement Limited), and shared with us. This may include your full name, date of birth, residential address, telephone number, email, and KYC documentation — for example, government-issued identification (passport or driver’s licence), proof of address, a selfie or photograph for facial verification, and any other information necessary to confirm your identity.
• Device and Session Information: when you sign in, we record your IP address and the User-Agent string of your browser against your session and refresh-token records. This is used to secure your account, to help you recognise and revoke unfamiliar sessions, and to detect suspicious sign-in patterns. We do not run device fingerprinting beyond the User-Agent string and we do not buy or augment device data from third-party data brokers.
• Communication Data:if you contact support by email or through one of our support channels, we collect the information you provide (such as your contact details and the content of your communications) and the support agent’s replies, so we can assist you and keep a record of the request.

We do not intentionally collect any sensitive personal data (such as racial or ethnic origin, political opinions, health information, etc.), as our services are not designed to require such data. We ask that you not send us or upload any sensitive personal information unless specifically requested for compliance reasons.

3. Purpose of Data Processing

We process personal data for the following purposes, in accordance with the principles of necessity and proportionality:

• Providing Services: to provide and maintain our services to you as a user or merchant. We use account information to set up your profile and authenticate your access, and we use transaction data to process payments or payouts.
• Customer Support and Communication: to contact you about your account, provide customer support, and respond to inquiries or requests.
• Compliance with Legal Obligations: to comply with applicable legal requirements, including AML/CFT (anti-money laundering and counter-terrorist financing) obligations and sanctions screening. If certain transactions are flagged as potentially high-risk or suspicious, we will use your personal data to verify your identity and the legitimacy of the transaction (via KYC checks). We may also use personal data to fulfill record-keeping requirements (e.g. retaining transaction and identity records for a minimum period as required by law), assess the source of funds or wealth and business purpose of merchant activity, and cooperate with law enforcement or regulatory investigations, if legally obligated.
• Security and Fraud Prevention: to protect our Platform, you, and other users from unauthorized access, fraud, spam, or other malicious activities. We may utilize automated decision-making and profiling as part of our fraud and risk prevention measures (for instance, automated algorithms may flag a transaction as high-risk based on predetermined criteria), but any decision to restrict services or require KYC will involve human review.
• Service Improvements and Product Analytics:to improve our services and user experience we use Plausible Analytics, a privacy-friendly web-analytics tool that does not place cookies, does not collect personal information, and does not build cross-site profiles. We also record high-level product events such as “Signup”, “MerchantCreated”, “KYBSubmitted” and “Withdrawal” to understand how merchants progress through key product flows. These events are tied to internal identifiers and are not linked to individuals for advertising purposes.
• Transactional Communications:we send you operational emails strictly necessary to deliver the service — verification codes, security notifications (new IP, password change, 2FA changes), KYC and withdrawal status updates, and other account-related messages. These are sent through our email-delivery provider Postmark and are not subject to marketing opt-out, since they are necessary to operate your account.
• Marketing and Product Updates (Opt-in): we may send you newsletters, product announcements, or promotional communications about our services only if you have expressly opted in. You can opt out at any time using the unsubscribe link in each message or by contacting us at support@pawpayments.com, and we will stop sending marketing messages without affecting transactional communications. We do not sell or rent your contact details to third parties for their own marketing.

Our legal bases for processing personal data include: contractual necessity (to provide the services you requested per our Terms of Use), legal obligations (compliance with laws such as AML regulations), legitimate interests (to secure and improve our platform, to prevent fraud, etc.), and your consent (e.g. when you submit KYC information). Under GDPR, where consent is the basis, you have the right to withdraw consent at any time; however, this will not affect processing already carried out or any mandatory data processing under other bases.

4. How We Store and Protect Data

We take data security seriously and employ industry-standard security measures to protect your personal information from unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit (e.g., using HTTPS/TLS for our website), encryption of sensitive data at rest, firewalls and access controls on our servers, and regular security audits. We also limit internal access to personal data: only personnel with a legitimate business need (such as compliance or support staff) will access your data, and they are trained on confidentiality obligations.

Personal data collected may be stored on cloud servers or databases that could be located in Canada, the United States, or other jurisdictions. In all cases, we ensure that appropriate safeguards are in place to protect the data. If you are located in the European Economic Area (EEA) or another region with data transfer restrictions, and your data is transferred to a jurisdiction not deemed “adequate” by regulators, we will rely on lawful transfer mechanisms. These may include European Commission-approved Standard Contractual Clauses (SCCs) or other safeguards to ensure an adequate level of protection for the transferred data.

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy or as required by law. In general, basic account data is kept for the duration of your use of our services. If you close your account or it becomes inactive, we will delete or anonymize your personal data after a defined retention period. However, records related to transactions and any identity verifications performed are retained to comply with legal requirements — typically, we keep such records for a minimum of five (5) years after the end of the business relationship or the date of a transaction, in line with AML record-keeping laws. When personal data is no longer needed, we will securely destroy or anonymize it.

5. Disclosure of Personal Data

We do not disclose or share your personal information with third parties except in the limited cases described below. Each provider listed acts as our processor under a written data-processing agreement (or equivalent contractual terms) and is permitted to use your data only to deliver the contracted service to us.

• AMLBot (Safelement Limited)— KYC identity verification, sanctions and PEP screening, adverse-media screening, and blockchain transaction analytics. Receives identification documents, biometric data, and wallet addresses when a high-risk event triggers EDD.
• Postmark (ActiveCampaign, Inc.)— delivery of transactional emails (verification codes, security alerts, KYC/withdrawal notifications). Receives your email address and the contents of the message we send you.
• Plausible Analytics— privacy-friendly web analytics for our website and dashboard. Does not use cookies, does not collect personal data, and does not build cross-site profiles.
• hCaptcha (Intuition Machines, Inc.)— bot protection on registration, sign-in, and password-reset forms. Performs its own risk-signal collection (including IP address, User-Agent and basic interaction data) directly from your browser; we receive only the pass/fail result. hCaptcha’s own privacy policy applies to that processing.
• Telegram— we operate verification and support bots on Telegram. If you choose to interact with these bots, your Telegram handle and the messages you send are visible to us. The Telegram service itself is provided by Telegram FZ-LLC and is governed by Telegram’s own privacy policy.
• Guardarian (Guardarian OÜ)— an independent third-party fiat-on-ramp provider used when a payer pays an invoice with a card on our checkout. Card details, billing data, and any KYC for the card-payment leg are submitted by the payer directly to Guardarian; we do not receive or store card numbers. Guardarian’s own terms and privacy policy apply to that processing.

In addition, we may disclose personal information:

• To affiliates and in corporate transactions— if we expand into subsidiaries or affiliates we may share data within our corporate family on a need-to-know basis under similar protections. In the event of a merger, acquisition, reorganisation, or sale of all or part of our business, personal data may be transferred to the successor entity. We will give affected users notice before their data becomes subject to a different privacy policy.
• For legal compliance and protection— to government authorities, law enforcement, FINTRAC, or other third parties when we believe in good faith that such disclosure is required by law or is necessary to comply with our legal obligations (for instance, to respond to a subpoena, court order, or official request, or to file an STR or LVCTR under PCMLTFA).
• With your consent— in any other situation where you have given your consent for us to do so.

Importantly, we do not sell your personal data to third parties for profit, and we do not share it with advertising networks. We may share anonymised, aggregated usage data (which cannot be linked back to any individual) with partners or publicly (for example, to report trends or statistics about cryptocurrency usage on our Platform), but such data contains no personal identifiers.

6. International Users and Cross-Border Data

Given the global nature of our services, personal data may be processed in or transferred to countries outside of your home jurisdiction, including Canada and the United States. If you are located outside of Canada, please be aware that data protection laws in the jurisdiction where your data is processed may differ from those in your country. However, we will ensure that appropriate safeguards are in place to protect your personal information consistent with the standards of your jurisdiction (for example, GDPR-compliant measures for EU residents).

For users in the European Union or United Kingdom: our Company acts as a data controller for your personal data. We rely on legal bases such as consent and legitimate interest for processing as outlined above. If we transfer your data out of the EEA/UK (for example, to Canada or the U.S.), we ensure such transfer is lawful. Canada has been recognized by the European Commission as providing an adequate level of data protection for personal data transferred from the EU to recipients subject to PIPEDA. For transfers to any country not covered by an adequacy decision, we implement measures like Standard Contractual Clauses or obtain your consent where required.

7. Your Rights and Choices

We respect your rights to your personal data. Subject to applicable law (such as GDPR and PIPEDA), you have the following rights regarding your personal information:

• Access and Portability: you have the right to request a copy of the personal data we hold about you and to obtain information about how it is processed. Where applicable, we will provide your data in a portable format.
• Rectification: you have the right to ask us to correct or update any inaccurate or incomplete personal information.
• Erasure: you can request that we delete your personal data if it is no longer necessary for the purposes collected, or if you withdraw consent (where applicable) or object to processing, and we have no overriding legitimate grounds to continue processing. Note that we may need to retain certain information for legal compliance (for example, we cannot immediately delete records that we are required to keep by law).
• Restriction of Processing: you have the right to ask us to limit the processing of your data in certain circumstances.
• Objection: where we rely on legitimate interests for processing, you have the right to object to that processing on grounds relating to your particular situation. You also have an unconditional right to object to your personal data being used for direct marketing purposes at any time.
• Withdraw Consent: if we are processing your personal data based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
• Complaints: you have the right to lodge a complaint with a relevant data protection supervisory authority if you believe we have infringed your privacy rights. EU users can contact their national Data Protection Authority; Canadian users can contact the Office of the Privacy Commissioner of Canada (OPC).

To exercise any of these rights, please contact us using the contact information in Section 11 below. We will respond to your request within the timeframe required by law (generally within 30 days for most requests). We may need to verify your identity (for example, by asking you to provide information or log in to your account) before fulfilling certain requests, to ensure we do not disclose data to the wrong person or make incorrect changes.

8. Cookies and Similar Technologies

We use cookies only where they are strictly necessary to operate the Platform securely. We do not use advertising cookies, behavioural-tracking cookies, or third-party analytics cookies.

The cookies we set are:

• Authentication cookies — access_token, refresh_token, verification_token, and totp_challenge. These are HTTP-only, secure cookies that keep you signed in, perform short-lived email verification, and complete two-factor authentication challenges. Without these cookies you cannot use the merchant dashboard.
• hCaptcha cookies— set by hCaptcha on registration, sign-in and password-reset pages to deliver bot protection. Governed by the hCaptcha privacy policy.

Plausible Analytics, our web-analytics provider, does not place cookies and does not collect personally identifying data; it relies on aggregated, anonymous signals. You may control or delete cookies through your browser settings, but disabling our authentication cookies will prevent you from signing in.

9. Children's Privacy

Our services are not directed to individuals under the age of majority (which is typically 18 years old). We do not knowingly collect personal information from children. If you are under 18, please do not use our Platform or send us any personal information. If we learn that we have inadvertently collected personal data from a minor, we will take steps to delete such information promptly. Parents or guardians who believe their child may have provided us personal data can contact us and request deletion.

10. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons. When we make significant changes, we will notify users by posting a prominent notice on our website or through other communication channels. The “Last Updated” date at the top of the Policy will indicate when the latest changes were made. We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you can contact us at:

• PawPayments, Inc.
• Email: support@pawpayments.com (general), legal@pawpayments.com (privacy and compliance requests)
• Mailing Address: Office 150, 145 1/2 Church Street, Unit 5, Toronto, Ontario, M5B1Y4, Canada

We will gladly assist you and address any issues you may have. Your privacy is important to us, and we welcome your feedback.