Privacy policy

1. Who we are

The operator of PayByCc is the entity identified in your deployment (please insert your registered business name and address in production). For privacy requests, use the Contact page.

2. Information we collect

Depending on how you use the service, we may process:

• Account & profile: name, email, phone, user identifier (e.g. user code), authentication secrets (stored hashed), and optional identity fields collected for KYC where applicable.
• Payment data: transaction amounts, currency, status, gateway references, provider payloads needed to complete or reconcile payments, and timestamps.
• Bank account details: bank name, account holder, masked or full account identifiers, IFSC, and flags such as primary account — submitted by you for payouts/settlement flows.
• Gateway credentials (administrative): keys or secrets you configure for payment gateways — stored encrypted at rest where implemented.
• Technical data: IP address, device/browser signals, cookies or similar technologies associated with sessions (see §8).
• Communications: messages you send via contact forms or support channels.

3. Legal bases & purposes (summary)

We process personal data to:

• Provide, operate, and secure the platform (contract / legitimate interests).
• Authenticate users, prevent fraud and abuse, comply with financial/KYC obligations where applicable (legal obligation / legitimate interests).
• Process payments and maintain settlement records (contract).
• Respond to inquiries (contract / legitimate interests).
• Improve reliability and safety of the service (legitimate interests), including logs with appropriate retention.

Where consent is required for optional processing (e.g. certain marketing communications), we will ask separately.

4. Sharing of information

We do not sell your personal information. We may share data with:

• Payment partners: acquiring banks, payment gateways, or processors necessary to authorize and settle transactions.
• Infrastructure providers: hosting, email delivery, logging — under contractual safeguards.
• Authorities: when required by applicable law, regulation, legal process, or to protect rights and safety.
• Professional advisers: auditors or lawyers where permitted.

5. Retention

We retain information only as long as necessary for the purposes above, including legal, regulatory, tax, and dispute-resolution requirements. Backup copies may persist for a limited period consistent with those needs.

6. Security

We implement administrative, technical, and organizational measures appropriate to the risk — including encryption for sensitive fields where configured (e.g. gateway secrets), access controls, and secure transport (HTTPS). No method of transmission or storage is 100% secure; we strive to follow industry practices.

7. Your rights

Depending on your jurisdiction, you may have rights to access, correction, deletion, restriction, portability, or objection. To exercise rights, contact us via the Contact page. We may need to verify your identity. You may also lodge a complaint with your local supervisory authority.

8. Cookies & sessions

We use cookies or similar technologies necessary for authentication (e.g. session cookies), CSRF protection, and preferences. You can control cookies through browser settings; disabling essential cookies may affect login.

9. Children

The service is not directed at children under 16 (or the minimum age in your region). We do not knowingly collect personal information from children.

10. International transfers

If data is processed across borders, we implement suitable safeguards as required by law (e.g. standard contractual clauses where applicable).

11. Changes

We may update this policy from time to time. Material changes will be indicated by updating the “Last updated” date and, where appropriate, additional notice.

12. Contact

Questions about privacy? Reach us through Contact us.