Last updated: 2026-04-28

Privacy Policy

This policy explains what personal data Paya collects, why, and how we protect it. The data controller is Hakob Chobanyan (“Paya”, “we”).

1. What we collect

• Account data. Email, password hash (Argon2-derived), display name.
• KYC data (when you opt in). Government ID details, selfie, address, date of birth — collected via Persona Inc., processed under their privacy policy.
• Wallet + transaction data. Solana public keys, transaction signatures, USDC amounts, timestamps, optional descriptions, recipient details you provide.
• Billing data. Stripe customer ID, subscription state, invoice numbers. Card numbers are stored by Stripe, not us.
• Technical data. IP address, user agent, device fingerprint, request timestamps. Used for rate limiting, fraud detection, and abuse response.
• Communications. Emails you send to us. We don’t monitor in-app messages.

2. Why we collect it (legal basis)

• Service performance (Art. 6(1)(b) GDPR). Account, wallet, and transaction data is needed to deliver Paya.
• Legal obligation (Art. 6(1)(c)). KYC, sanctions screening, tax reporting are required by anti-money-laundering law.
• Legitimate interest (Art. 6(1)(f)). Fraud detection, security logging, service analytics. We balance this against your privacy.
• Consent (Art. 6(1)(a)). Optional marketing emails and non-essential cookies. Withdraw any time.

3. How long we keep it

• Account data: while your account is active, plus 30 days after closure.
• Transaction + ledger data: 10 years (statutory retention for financial records).
• KYC documents: 5 years after relationship ends, per AML rules.
• Logs (IP, user-agent): 90 days, then anonymised.

4. Who we share with

We do not sell personal data. We share only with:

• Persona Inc. — KYC verification (US-based, GDPR-compliant via SCCs).
• Stripe Payments Europe Ltd — subscription billing.
• TxShield — internal fraud screening (operated by us, same data controller).
• Hosting infrastructure — Hetzner Online GmbH (Germany), used for compute and storage.
• Law enforcement — when compelled by valid legal process.

5. International transfers

Persona and Stripe may process data outside the EEA. Both rely on Standard Contractual Clauses to ensure GDPR-equivalent protection.

6. Your rights

Under GDPR, you have the right to:

• Access your data — GET /api/v1/auth/me + GET /api/v1/export/transactions for the machine-readable form.
• Correct inaccurate data — most fields are editable in settings.
• Erase your data — see “Account deletion” below. Note: financial records cannot be erased while statutory retention applies.
• Restrict or object to processing.
• Data portability — request a JSON export.
• Lodge a complaint with your supervisory authority. The German Federal Data Protection Commissioner is the lead authority for Paya.

7. Account deletion

From settings, request deletion. We anonymise your account within 30 days. Transaction records remain in pseudonymised form (no link to a person) for the legal retention period.

8. Security

• Wallet private keys: AES-256-GCM at rest, master key never stored alongside encrypted blobs.
• Passwords: Argon2 with random salts.
• Transport: TLS 1.2+ enforced; HSTS preload.
• Access: role-based, audit-logged. Production access is two-person rule.

9. Children

Paya is not for children under 16. We do not knowingly collect data from children.

10. Cookies

We set one essential cookie (session) to keep you logged in. We don’t use third-party advertising or tracking cookies.

11. Contact

Privacy questions: privacy@paya.fund. Postal: Hakob Chobanyan, Berlin (full address on the Impressum page).

This is a starting baseline. Operators should have it reviewed against their actual data flows and supervisory authority guidance before relying on it.