Privacy Policy

Eppay ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, share, and safeguard information about you when you use our services through our website, mobile applications, browser extensions, APIs, and related platforms (collectively, the "Services"). It also explains the choices and rights available to you in connection with that information. By accessing or using our Services, you agree to the terms of this Privacy Policy.

Last Updated: April 27, 2026

1. Information We Collect

We collect several categories of information to operate our cryptocurrency payment platform effectively and securely. The categories described below reflect what we receive directly from you, what we observe through your use of our Services, and what we obtain from third-party sources where lawful.

  • Personal Information: Such as your name, email address, phone number, wallet address, country of residence, and date of birth where required for KYC compliance, along with any other information you provide during registration or while using our Services. For business accounts we may additionally collect company name, registration number, beneficial-owner information, and authorized representative details.
  • Non-Personal Information: Technical data such as device model and operating system, unique device identifiers, browser type and version, IP address, time-zone setting, language preference, referring URLs, pages visited, and aggregated usage statistics. This information helps us understand how our Services are used and improve their performance.
  • Payment and Transaction Information: Transaction details related to payments processed through Eppay, including the blockchain network used (Ethereum, BSC, Polygon, Tron, and others), wallet addresses involved, transaction hashes, token type (USDT, USDC), amounts, and timestamps. Because blockchain transactions are recorded on a public ledger, certain transaction data is permanently visible to anyone with the transaction hash or wallet address.
  • Cookies and Tracking Data: Information collected automatically through cookies, web beacons, and similar technologies — see Section 7 for full details on what we collect and how you can control it.
2. How We Use Your Information

We use the information we collect for the following purposes, each grounded in a legitimate business need or legal basis as described in Section 12 below:

  • Provide, operate, and improve our Services, including processing your cryptocurrency payments and maintaining the reliability of our payment gateway across multiple blockchain networks.
  • Process transactions and payments, verify on-chain settlement, generate and manage API keys, and reconcile payment records with our merchants.
  • Communicate with you regarding your account, transactions, security alerts, technical notices, support requests, and — with your consent — promotional materials about new features and updates.
  • Comply with applicable laws and regulations, including anti-money-laundering (AML), know-your-customer (KYC), counter-terrorism financing, and tax-reporting requirements.
  • Detect, investigate, and prevent fraudulent transactions, unauthorized access, and other illegal or abusive activity; protect our rights and the rights of our users and merchants.
  • Conduct internal analytics, develop new features, and perform research to enhance the security, performance, and usability of our platform.
3. Sharing Your Information

We do not sell your personal information. We share your information only in the limited circumstances described below, and only with parties bound by appropriate confidentiality and data-protection obligations.

  • Third-Party Service Providers: We engage trusted vendors to perform services on our behalf, including cloud hosting providers, blockchain node operators, payment processors, KYC/AML verification services, customer-support platforms, email-delivery services, and analytics providers. These vendors are contractually required to use your information only to perform services for Eppay and to protect it consistently with this Privacy Policy.
  • Law Enforcement and Legal Requests: We may disclose your information when required by law, court order, subpoena, or other legal process, or when we believe in good faith that disclosure is necessary to comply with regulatory obligations, enforce our terms, protect our rights or property, or prevent harm.
  • Business Transfers: If Eppay is involved in a merger, acquisition, financing, reorganization, or sale of all or a portion of our assets, your information may be transferred as part of that transaction, subject to standard confidentiality and notice protections.
  • With Your Consent: We may share information with third parties in cases where you explicitly authorize the disclosure, such as connecting your account to a partner integration or sharing transaction confirmations with a merchant.
  • Aggregated or De-Identified Data: We may share aggregated statistics or de-identified information that cannot reasonably be used to identify you for research, reporting, industry benchmarking, or marketing purposes.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes.

4. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements.

Specifically: account information is retained for the duration of your active account and for up to seven (7) years after closure to comply with financial record-keeping requirements; transaction records associated with payments are retained for a minimum of five (5) years as required under anti-money-laundering regulations; KYC documentation is retained for the period mandated by the applicable jurisdiction (typically five to ten years); and marketing preferences are retained until you opt out.

Blockchain transaction data is inherently permanent and cannot be deleted from public ledgers. When you request deletion of your account, we will remove or anonymize personal data within our systems, but on-chain records of past transactions will remain visible on the relevant blockchain.

You may request deletion of your personal data by contacting us at the address provided in Section 9. Upon verifying your identity, we will delete or anonymize your data unless retention is required by law.

5. Data Security

We implement industry-standard technical and organizational security measures designed to protect your information against unauthorized access, alteration, disclosure, and destruction.

Our security program includes:

  • TLS encryption for all data transmitted between your device and our servers, and AES-256 encryption for sensitive data at rest.
  • Strict access controls, multi-factor authentication for administrative access, and the principle of least privilege for internal personnel.
  • Continuous monitoring, intrusion detection, regular vulnerability scanning, and periodic third-party security audits.
  • Secure software-development practices, including code review, dependency scanning, and a responsible-disclosure program for security researchers.

Despite these safeguards, no method of transmission over the Internet or method of electronic storage is one-hundred-percent secure. We cannot guarantee absolute security, and you are responsible for keeping your account credentials and self-custodial wallet keys confidential.

6. Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Right of Access — to obtain confirmation of whether we process your personal data and to receive a copy of that data.
  • Right to Rectification — to have inaccurate or incomplete personal data corrected without undue delay.
  • Right to Erasure ("Right to Be Forgotten") — to request deletion of your personal data, subject to legal retention requirements.
  • Right to Restriction of Processing — to limit the ways we process your data under certain circumstances.
  • Right to Data Portability — to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to Object — to object to processing based on our legitimate interests or for direct-marketing purposes.
  • Right to Withdraw Consent — where processing is based on your consent, you may withdraw consent at any time without affecting prior lawful processing.
  • Right to Lodge a Complaint — to file a complaint with a supervisory authority in your country of residence or place of work.

To exercise any of these rights, please contact us at info@eppay.io. We will respond to verified requests within the time frame required by applicable law (typically thirty days).

7. Cookies and Tracking Technologies

We use cookies, web beacons, pixel tags, and similar technologies to operate our Services, remember your preferences, analyze traffic, and — where permitted — deliver relevant content.

We use the following categories of cookies:

  • Essential Cookies — required for core functionality such as authentication, session management, and security. These cannot be disabled.
  • Analytics Cookies — help us understand how users interact with our Services (for example, via Google Analytics and Yandex.Metrica). The data is aggregated and used to improve site performance.
  • Functional Cookies — remember your preferences, such as language and currency settings.
  • Marketing Cookies — used to deliver advertisements relevant to your interests, including Twitter and Facebook conversion-tracking pixels. Used only with your consent where required.

You can control or disable cookies through your browser settings; however, doing so may affect the functionality of our Services. Most browsers allow you to refuse cookies entirely, accept only first-party cookies, or be notified when a cookie is set.

8. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

When we make material changes, we will notify you by posting the updated policy on this page with a revised "Last Updated" date and, where appropriate, by sending you a notice via email or an in-app notification before the changes take effect.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Services after any changes constitutes your acceptance of the updated Privacy Policy.

9. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our privacy team. We aim to respond to all inquiries within five (5) business days.

For data-protection-specific inquiries, including requests to exercise your rights under GDPR, CCPA, or similar laws, please mark your message "Privacy Request" in the subject line so it is routed to the appropriate team.

10. Accessibility

This Privacy Policy is available on our website at https://eppay.io/privacy_policy and can be accessed directly from within our mobile applications. Translations are provided in ten languages — English, Spanish, French, German, Turkish, Arabic, Chinese, Japanese, Russian, and Portuguese — so that users can review their rights in the language they understand best. If you require this policy in an alternate format for accessibility reasons, please contact us.

11. International Data Transfers

Eppay operates globally, and your information may be transferred to, stored in, or processed in countries other than the country in which you reside, including jurisdictions that may not provide the same level of data protection as your home country.

When we transfer personal data internationally, we implement appropriate safeguards — such as European Commission-approved Standard Contractual Clauses — to ensure your information remains protected to a standard consistent with applicable data-protection laws, including the GDPR for users in the European Economic Area and the UK.

By using our Services you understand that your information will be transferred to and processed in jurisdictions where Eppay or its service providers operate.

12. Legal Basis for Processing (EEA / UK Users)

For users in the European Economic Area, the United Kingdom, and other regions with similar data-protection regimes, we process your personal data on one or more of the following legal bases:

  • Performance of a Contract — processing necessary to provide the Services you have requested, such as executing a payment you initiated.
  • Legitimate Interests — processing necessary for our legitimate business interests, such as fraud prevention, network security, and product improvement, provided that those interests are not overridden by your rights and freedoms.
  • Legal Obligation — processing necessary to comply with our legal obligations, such as anti-money-laundering reporting and tax record-keeping.
  • Consent — processing based on your explicit consent, which you may withdraw at any time (for example, for marketing communications or non-essential cookies).
13. Children's Privacy

Our Services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 18. If we become aware that we have collected personal information from a child under 18 without verified parental consent, we will take steps to delete such information as quickly as possible.

If you believe that a child has provided us with personal information, please contact us at info@eppay.io and we will investigate promptly.

14. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

  • Right to Know what personal information we have collected about you and how we have used and disclosed it.
  • Right to Delete personal information we have collected from you, subject to certain exceptions.
  • Right to Correct inaccurate personal information.
  • Right to Opt-Out of the sale or sharing of personal information — Eppay does not sell personal information.
  • Right to Limit Use of sensitive personal information.
  • Right to Non-Discrimination for exercising your privacy rights.

To exercise these rights, contact us at info@eppay.io. You may also designate an authorized agent to make requests on your behalf, subject to our verification of the agent's authority.

15. Data Breach Notification

In the unlikely event of a data breach that affects your personal information and is likely to result in a high risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, as required by applicable law.

Where the breach is likely to result in a high risk to you personally, we will also notify affected users directly without undue delay, providing information about the nature of the breach, the categories of data affected, the likely consequences, and the steps we are taking to mitigate the impact.