Provvypay - Payment Link Platform

1. Introduction

Provvypay ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our payment processing platform.

This Privacy Policy complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws. By using our Service, you consent to the data practices described in this policy.

We are the data controller responsible for your personal data. If you have any questions about this policy or our data practices, please contact us using the information provided at the end of this document.

2. Information We Collect

2.1 Information You Provide

We collect information that you provide directly to us:

Account Information: Name, email address, password, organization details, business information
Payment Information: Bank account details, Stripe account ID, Hedera wallet addresses
Transaction Data: Payment amounts, currency types, invoice references, customer information
Integration Data: Xero account credentials, API keys, accounting preferences
Communication Data: Messages, support requests, feedback

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

Device Information: IP address, browser type, operating system, device identifiers
Usage Data: Pages visited, features used, time spent, click patterns
Log Data: Access times, error logs, performance metrics
Cookies: Session cookies, preference cookies, analytics cookies (see our Cookie Policy)

2.3 Information from Third Parties

We receive information from third-party services:

Stripe: Payment processing data, transaction status, settlement information
Hedera Network: Blockchain transaction data, wallet balances, network confirmations
Xero: Accounting data, invoice information, contact details
Authentication Providers: Identity verification data, OAuth tokens

3. How We Use Your Information

We use your information for the following purposes:

3.1 Service Delivery

Process and manage payment transactions
Create and maintain your account
Generate payment links and QR codes
Facilitate cryptocurrency and card payments
Sync data with accounting systems
Provide customer support

3.2 Security and Fraud Prevention

Detect and prevent fraudulent transactions
Monitor for suspicious activity
Comply with anti-money laundering (AML) requirements
Verify user identity
Protect against unauthorized access

3.3 Analytics and Improvement

Analyze usage patterns and trends
Improve Service performance and features
Conduct research and development
Generate aggregated, anonymized statistics

3.4 Communication

Send transaction confirmations and receipts
Provide service updates and notifications
Respond to inquiries and support requests
Send important security alerts

3.5 Legal Compliance

Comply with legal obligations and regulations
Respond to law enforcement requests
Enforce our Terms of Service
Protect our legal rights

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on the following legal grounds:

Contractual Necessity: Processing is necessary to perform our contract with you (providing the Service)
Consent: You have given explicit consent for specific processing activities
Legitimate Interests: Processing is necessary for our legitimate business interests (fraud prevention, service improvement, security)
Legal Obligations: Processing is required to comply with legal and regulatory requirements

6. Data Security

We implement comprehensive security measures to protect your data:

6.1 Technical Measures

Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Role-based access control (RBAC) and multi-factor authentication
Network Security: Firewalls, intrusion detection, and DDoS protection
Secure Development: Regular security audits, code reviews, and vulnerability scanning

6.2 Organizational Measures

Employee training on data protection
Confidentiality agreements with staff and contractors
Incident response procedures
Regular security awareness training

6.3 PCI DSS Compliance

We comply with PCI DSS requirements by not storing card data on our servers. All card payments are processed through Stripe, a PCI DSS Level 1 certified processor.

7. Data Retention

We retain your data for different periods:

Account Data: Retained while your account is active and for 7 years after account closure (for legal and accounting purposes)
Transaction Data: Retained for 7 years to comply with financial regulations and tax requirements
Communication Data: Retained for 3 years after the last interaction
Log Data: Retained for 90 days unless required for security investigations
Cookie Data: Varies by cookie type (see Cookie Policy)

After the retention period, we securely delete or anonymize your data. You can request earlier deletion of certain data (see Your Rights section).

8. Your Privacy Rights (GDPR)

Under GDPR and other privacy laws, you have the following rights:

8.1 Right to Access

You have the right to request a copy of the personal data we hold about you. We will provide this in a structured, commonly used, and machine-readable format.

8.2 Right to Rectification

You have the right to correct inaccurate or incomplete personal data. You can update most information through your account settings.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data. This right is subject to certain exceptions, including:

We need the data to comply with legal obligations
The data is required for establishing, exercising, or defending legal claims
We have a legitimate interest that overrides your request

8.4 Right to Restrict Processing

You have the right to request that we limit how we process your data in certain circumstances.

8.5 Right to Data Portability

You have the right to receive your personal data in a portable format and to transmit it to another service provider.

8.6 Right to Object

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

8.7 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time.

8.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@provvypay.com. We will respond to your request within 30 days. You also have the right to lodge a complaint with your local data protection authority.

9. Cookies and Tracking

We use cookies and similar tracking technologies to provide and improve our Service. For detailed information about our cookie practices, please see our Cookie Policy.

We use the following types of cookies:

Essential Cookies: Required for the Service to function
Performance Cookies: Help us understand how you use the Service
Functionality Cookies: Remember your preferences and settings
Analytics Cookies: Help us improve the Service

10. Third-Party Services

Our Service integrates with third-party services that have their own privacy policies:

We are not responsible for the privacy practices of third-party services. We encourage you to review their privacy policies.

11. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. These countries may have different data protection laws.

When we transfer data internationally, we implement appropriate safeguards:

Standard Contractual Clauses (SCCs) approved by the EU Commission
Adequacy decisions by relevant authorities
Privacy Shield certification (where applicable)
Contractual protections with service providers

By using the Service, you consent to the transfer of your information to the United States and other countries where our service providers operate.

12. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

If we discover that we have collected personal data from a child without parental consent, we will take steps to delete that information as quickly as possible.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we collect
Right to Delete: Request deletion of your personal information
Right to Opt-Out: Opt-out of the "sale" of your personal information (note: we do not sell personal information)
Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

To exercise these rights, contact us at privacy@provvypay.com. We will verify your identity before responding to your request.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

Posting the updated policy on our website
Updating the "Last Updated" date
Sending an email notification to your registered email address
Displaying a prominent notice on the Service

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy. We encourage you to review this policy periodically.

15. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights, please contact us:

Data Protection Officer

Email: privacy@provvypay.com

Email: dpo@provvypay.com

Email: support@provvypay.com

Address: [Your Business Address]

We will respond to all requests within 30 days as required by GDPR and other applicable privacy laws.

Your Privacy Matters: We are committed to protecting your personal data and respecting your privacy rights. This policy is compliant with GDPR, CCPA, and other major privacy regulations. If you have any concerns, please don't hesitate to contact us.

Privacy Policy